Logs Input configured, but no incoming data (Windows 2012R2)

[dlukinski]

Hi

We've configured logs input (conf files attached), but not incoming data while the logs are being updated at the source

tcp {
port => 4448
type => RPAROBPappLOG
}
udp {
port => 4448
type => RPAROBPappLOG
}

Should there be Linux Firewall configured separately and if the case, why this document does not contain the applicable steps?
https://assets.nagios.com/downloads/nag ... Inputs.pdf

[cdienger]

Run "iptables -L" to check for any rules that may be blocking the port. If there is a block then a rule will need to be added to allow the connection on that port.

Thanks for pointing out the document. We'll be updating it.

[scottwilkerson]

Should there be Linux Firewall configured separately

Yes, and I agree we should add it to the doc.

To get you going
RHEL/CentOS 6.x:

Code: Select all

iptables -I INPUT -p udp --dport 4448 -j ACCEPT
iptables -I INPUT -p tcp --dport 4448 -j ACCEPT
service iptables save

RHEL/CentOS 7.x:

Code: Select all

firewall-cmd --zone=public --add-port=4448/udp
firewall-cmd --zone=public --add-port=4448/udp --permanent
firewall-cmd --zone=public --add-port=4448/tcp
firewall-cmd --zone=public --add-port=4448/tcp --permanent

[dlukinski]

Should there be Linux Firewall configured separately

Yes, and I agree we should add it to the doc.

To get you going
RHEL/CentOS 6.x:

Code: Select all

iptables -I INPUT -p udp --dport 4448 -j ACCEPT
iptables -I INPUT -p tcp --dport 4448 -j ACCEPT
service iptables save

RHEL/CentOS 7.x:

Code: Select all

firewall-cmd --zone=public --add-port=4448/udp
firewall-cmd --zone=public --add-port=4448/udp --permanent
firewall-cmd --zone=public --add-port=4448/tcp
firewall-cmd --zone=public --add-port=4448/tcp --permanent

Hi

I opened Firewall ports (and opened ALL ports from the client to the LOG server). Added Route. Still no luck
Really need your help in getting this to work. Should I open a ticket?

[scottwilkerson]

Can you port your C:\Program Files (x86)\nxlog\data\nxlog.log so we can see what errors the Windows system is having sending?

[dlukinski]

Can you port your C:\Program Files (x86)\nxlog\data\nxlog.log so we can see what errors the Windows system is having sending?

Please review log file attached

[cdienger]

There are a lot of messages like this logged:

ERROR couldn't connect to tcp socket on logging.konecranes.com:4448

Do you see the port up and listening on the NLS server if you run "netstat -na | grep 4448" ?

Verify the traffic is making it to the NLS server:

yum -y install tcpdump
tcpdump -i any -nn port 4448

The above will display the packets the NLS server receives on port 4448.

[dlukinski]

There are a lot of messages like this logged:

ERROR couldn't connect to tcp socket on logging.konecranes.com:4448

Do you see the port up and listening on the NLS server if you run "netstat -na | grep 4448" ?

Verify the traffic is making it to the NLS server:

yum -y install tcpdump
tcpdump -i any -nn port 4448

The above will display the packets the NLS server receives on port 4448.

Hi

it looks like I am receiving something:


[root@fikc-naglsprod01 ~]# yum -y install tcpdump
Loaded plugins: fastestmirror
Setting up Install Process
Loading mirror speeds from cached hostfile
* base: mirrors.glesys.net
* epel: mirrors.dotsrc.org
* extras: mirrors.glesys.net
* updates: mirrors.glesys.net
Package 14:tcpdump-4.0.0-11.20090921gitdf3cb4.2.el6.x86_64 already installed and latest version
Nothing to do
[root@fikc-naglsprod01 ~]# tcpdump -i any -nn port 4448
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
17:25:47.446570 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [SEW], seq 1719687259, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
17:25:47.446609 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [S.E], seq 554844867, ack 1719687260, win 14600, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
17:25:47.447184 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [.], ack 1, win 4106, length 0
17:25:47.447646 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 1:353, ack 1, win 4106, length 352
17:25:47.447663 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 353, win 123, length 0
17:25:47.447978 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 353:1307, ack 1, win 4106, length 954
17:25:47.447988 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 1307, win 138, length 0
17:25:47.448254 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 1307:2378, ack 1, win 4106, length 1071
17:25:47.448262 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 2378, win 155, length 0
17:25:47.448420 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 2378:2745, ack 1, win 4106, length 367
17:25:47.448427 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 2745, win 171, length 0
17:25:47.448598 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 2745:3464, ack 1, win 4106, length 719
17:25:47.448605 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 3464, win 188, length 0
17:25:47.448745 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 3464:3816, ack 1, win 4106, length 352
17:25:47.448752 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 3816, win 205, length 0
17:25:47.448916 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 3816:4468, ack 1, win 4106, length 652
17:25:47.448921 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 4468, win 222, length 0
17:25:47.449076 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 4468:4998, ack 1, win 4106, length 530
17:25:47.449085 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 4998, win 238, length 0
17:25:47.449218 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 4998:5299, ack 1, win 4106, length 301
17:25:47.449225 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 5299, win 255, length 0
17:25:47.449350 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 5299:5651, ack 1, win 4106, length 352
17:25:47.449355 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 5651, win 272, length 0
17:25:47.449516 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 5651:6303, ack 1, win 4106, length 652
17:25:47.449523 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 6303, win 288, length 0
17:25:47.449661 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 6303:6833, ack 1, win 4106, length 530
17:25:47.449667 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 6833, win 305, length 0
17:25:47.449808 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 6833:7134, ack 1, win 4106, length 301
17:25:47.449813 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 7134, win 322, length 0
17:25:47.450022 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 7134:7853, ack 1, win 4106, length 719
17:25:47.450029 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 7853, win 323, length 0
17:25:47.455644 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 22287, win 501, length 0
17:25:47.455815 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 22287:23391, ack 1, win 4106, length 1104
17:25:47.455994 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 23391, win 501, length 0
17:25:47.456222 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 23391:24851, ack 1, win 4106, length 1460
17:25:47.456232 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 24851:24944, ack 1, win 4106, length 93
17:25:47.456276 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 24944, win 501, length 0
17:25:47.456485 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 24944:25614, ack 1, win 4106, length 670
17:25:47.456996 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 25614:27074, ack 1, win 4106, length 1460
17:25:47.457005 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 27074:27101, ack 1, win 4106, length 27
17:25:47.457460 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 27101:28561, ack 1, win 4106, length 1460
17:25:47.457469 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 28561:28654, ack 1, win 4106, length 93
17:25:47.457648 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 28654, win 501, length 0
17:25:47.457872 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 28654:29242, ack 1, win 4106, length 588
17:25:47.457958 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 29242, win 501, length 0
17:25:47.458237 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 29242:30362, ack 1, win 4106, length 1120
17:25:47.458277 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 30362, win 501, length 0
17:25:47.458467 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 30362:30893, ack 1, win 4106, length 531
17:25:47.458502 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 30893, win 501, length 0
17:25:47.458662 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 30893:31629, ack 1, win 4106, length 736
17:25:47.458701 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 31629, win 501, length 0
17:25:47.458840 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 31629:31931, ack 1, win 4106, length 302
17:25:47.458872 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 31931, win 501, length 0
17:25:47.459020 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 31931:32218, ack 1, win 4106, length 287
17:25:47.459337 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 32218, win 501, length 0
17:25:47.459505 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 32218:33678, ack 1, win 4106, length 1460
17:25:47.459519 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 33678:33869, ack 1, win 4106, length 191
17:25:47.459534 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 33869, win 491, length 0
17:25:47.459680 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 33869:34237, ack 1, win 4106, length 368
17:25:47.459713 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 34237, win 501, length 0
17:25:47.459862 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 34237:34605, ack 1, win 4106, length 368
17:25:47.459907 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 34605, win 501, length 0
17:25:47.460064 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 34605:35195, ack 1, win 4106, length 590
17:25:47.460095 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 35195, win 501, length 0
17:25:47.460317 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 35195:35726, ack 1, win 4106, length 531
17:25:47.460348 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 35726, win 501, length 0
17:25:47.460499 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 35726:36028, ack 1, win 4106, length 302
17:25:47.460529 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 36028, win 501, length 0
17:25:47.460749 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 36028:36316, ack 1, win 4106, length 288
17:25:47.460779 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 36316, win 501, length 0
17:25:47.460939 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 36316:36683, ack 1, win 4106, length 367
17:25:47.460968 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 36683, win 501, length 0
17:25:47.461111 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 36683:36985, ack 1, win 4106, length 302
17:25:47.461141 IP 10.102.36.164.4448 > 10.102.76.44.63927: Flags [.], ack 36985, win 501, length 0
17:25:47.461277 IP 10.102.76.44.63927 > 10.102.36.164.4448: Flags [P.], seq 36985:37352, ack 1, win 4106, length 367

[cdienger]

Is 10.102.76.44 the correct IP address? The trace does show a connection but the logs are complaining the one cannot be made. Has anything changed in the logs?

[dlukinski]

Is 10.102.76.44 the correct IP address? The trace does show a connection but the logs are complaining the one cannot be made. Has anything changed in the logs?

Yes it is correct and I am actually getting incoming data after adding /Route options

- This one I was not aware of and it seems not work w/o the option in the config file