Unable to receive incoing syslog on port 514

dlukinski · Post by **dlukinski** » Tue Jan 22, 2019 7:57 am

tgriep wrote:Try disabling the firewall and see if the server starts to receive the logs.
Also, verify that the input is still configured in the Logserver's GUI and that it is enabled.

I received LOGs moment iptables wrre stopped. What is wrong with iptables(?)

scottwilkerson · Post by **scottwilkerson** » Tue Jan 22, 2019 12:41 pm

you aren't allowing traffic on port 514

Code: Select all

iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
iptables-save

dlukinski · Post by **dlukinski** » Tue Jan 22, 2019 2:32 pm

scottwilkerson wrote:you aren't allowing traffic on port 514
Code: Select all
iptables -A INPUT -m state --state NEW -m udp -p udp --dport 514 -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 514 -j ACCEPT
iptables-save

and it stopped receiving all the syslogs..

scottwilkerson · Post by **scottwilkerson** » Tue Jan 22, 2019 2:40 pm

can you post the output of

Code: Select all

cat /etc/sysconfig/iptables

dlukinski · Post by **dlukinski** » Tue Jan 22, 2019 5:51 pm

scottwilkerson wrote:can you post the output of
Code: Select all
cat /etc/sysconfig/iptables

login as: root
[email protected]'s password:
Last login: Tue Jan 22 19:28:24 2019 from 10.104.116.201

[root@fikc-naglsprod01 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Wed Jan 16 15:47:46 2019
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [4344:3251345]
-A INPUT -p tcp -m tcp --dport 4450 -j ACCEPT
-A INPUT -p udp -m udp --dport 4450 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4448 -j ACCEPT
-A INPUT -p udp -m udp --dport 4448 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3516 -j ACCEPT
-A INPUT -p udp -m udp --dport 4447 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4447 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4446 -j ACCEPT
-A INPUT -p udp -m udp --dport 4446 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2057 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 2056 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5544 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4444 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4445 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3515 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 9300:9400 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5667 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --state NEW -m tcp --dport 3516 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4448 -j ACCEPT
-A INPUT -p udp -m udp --dport 4448 -j ACCEPT
-A INPUT -p udp -m udp --dport 514 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Wed Jan 16 15:47:46 2019
[root@fikc-naglsprod01 ~]#

And it si still does not work

Post by **tgriep** » Wed Jan 23, 2019 9:34 am

The firewall is blocking the inbound connections as the INPUT for port 514 should be above all of the REJECTS.

First check the line number by running the following.

Code: Select all

iptables -nL --line-numbers

Delete the rule based on the line number by running this

Code: Select all

iptables -D INPUT {line}

Add the rule back in using the line number from the above command. Put it below the 5666 rule.

Code: Select all

iptables -A INPUT {line} -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT

To save the rules, run this as root.

Code: Select all

iptables-save

Test to see if the logs come in.
You may also want to do this for the 4448 rules.

dlukinski · Post by **dlukinski** » Mon Jan 28, 2019 1:45 pm

tgriep wrote:The firewall is blocking the inbound connections as the INPUT for port 514 should be above all of the REJECTS.

First check the line number by running the following.
Code: Select all
iptables -nL --line-numbers
Delete the rule based on the line number by running this
Code: Select all
iptables -D INPUT {line}
Add the rule back in using the line number from the above command. Put it below the 5666 rule.
Code: Select all
iptables -A INPUT {line} -p udp -m state --state NEW -m udp --dport 514 -j ACCEPT
To save the rules, run this as root.
Code: Select all
iptables-save
Test to see if the logs come in.
You may also want to do this for the 4448 rules.

Thank you Tom

Worked as a mix of editing iptables file and usisng commands
Please close the thread

Post by **cdienger** » Mon Jan 28, 2019 2:21 pm

Thanks for the update! Glad to hear you got it working!

Nagios Support Forum

Unable to receive incoing syslog on port 514

Re: Unable to receive incoing syslog on port 514

Re: Unable to receive incoing syslog on port 514

Re: Unable to receive incoing syslog on port 514

Re: Unable to receive incoing syslog on port 514

Re: Unable to receive incoing syslog on port 514

Re: Unable to receive incoing syslog on port 514

Re: Unable to receive incoing syslog on port 514

Re: Unable to receive incoing syslog on port 514