Collect UDP Syslogs

I have configured my ESXi Hosts to use Graylog Syslog server (loghost=udp://10.10.10.40:514)

In the Graylog UI, I created a new input (Syslog UDP) and specified the Port as 1514.

Syslog UDP is running.

I also ran command:
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514

It is not collected any data.

I am also NOT able to telnet to port 514 or 1514 on this Graylog Syslog server IP.

Thanks for your help!

Best way is to directly send to port of graylog Input, so:
loghost=udp://10.10.10.40:1514

I don’t have good experience with NAT from port 514.

Just to confirm, still use the Graylog Input “Syslog UDP”, correct?

Also, if I were to change the port from 514 to 1514 as you suggested on my ESXi Host, it still would not work because as I noted in my post, I am unable to telnet to the Graylog Syslog server on either port, 514 or 1514.

Do you know why my Graylog Syslog server is not listening on either of these ports? There are no firewalls in play here.

Hi, you can’t telnet to UDP ports (because it’s a stateless protocol), it’s only possible with TCP.

Your problem is probably firewall on ESXi host, that by default block all outgoing connections. So please update your firewall setttings and add port 1514 (as Outgoing ports) to firewall in ESXi.

https://4sysops.com/archives/how-to-open-and-close-firewall-ports-on-vmware-esxi-hosts/

Thank you! I had forgotten about UDP being stateless and not “telnet’able”. I did have the firewall on ESXi open. I remove my current input of Syslog UDP and add a new Syslog TCP input. Then specified tcp using port 1514.

loghost=tcp://10.10.10.40:1514

It is now collecting :o)

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.