NXlog external port forward through firewall

Hey Guys, I’m using NXlog to forward events. Works fine internally but if I put it on a remote machine and forward the ports to doesn’t seem to reach the server. The conf file says UDP 12201 and I’m forwarding it but nothing … any ideas anyone ?

hi @capsyslog

can you please provide more info?
How are you forwarding the logs from the remote machine to the GL server?
Is the GL server behind a firewall? if so, are the connections between remote and local allowed?
Is tcpdump showing if something is received on the GL server, port 12201, for the remote system?


Hey @m_mlk,

Thanks for coming back to me. Going on a guide I found regarding NXlog, this is the output in my conf file:

Module om_udp Host Port 12201 #Exec to_syslog_snare(); OutputType GELF

Works fine internally but if I repolace the IP with my static external and forward the port to the internal IP … nothing …

hello again,

is there a firewall between both servers?

Yup, but I’ve forwarded on UDP 12201 from the WAN to in the internal IP … nothing gets there … I was thinking it might be to do with a timing, would a log take longer than usual to forward ?

Nope. As long as the firewall allows the connection between point A and point B, you should see messages hitting your GL server…

Can you run this as root on the GL server?

First, check that port 12201 is actually listening:

lsof -Pni:12201

You should see something similar to this:

$ lsof  -Pni:12201
java    318793 graylog  127u  IPv6 98560532      0t0  UDP *:12201 
java    318793 graylog  130u  IPv6 98560534      0t0  UDP *:12201 
java    318793 graylog  135u  IPv6 98560537      0t0  UDP *:12201 
java    318793 graylog  136u  IPv6 98559768      0t0  UDP *:12201

Then check if something reaches the GL server:

tcpdump -vnX src REMOTE-IP and port 12201

replace REMOTE-IP with, well, the remote server’s IP :slight_smile:

If you see nothing, something is wrong with the firewall configuration.


1 Like

Hey @m_mlk,

Thanks for the help. lsof gives me this so that seems ok:

root@celsyslog:/home/capsyslog# lsof -Pni:12201
java 6176 graylog 94u IPv6 100417 0t0 UDP *:12201
java 6176 graylog 96u IPv6 98869 0t0 UDP *:12201
java 6176 graylog 97u IPv6 98870 0t0 UDP *:12201
java 6176 graylog 98u IPv6 98871 0t0 UDP *:12201

The GL server is the only Ubuntu machine I have though … do you know a Win cmd to perform the dump?

Hi @capsyslog

the tcpdump I showed you is to be executed on the Graylog server, so you can check whether the remote Windows machine is actually reaching GL on port 12201.

I hope it’s clearer now.


Oh ok, the IP of the remote machine trying to reach the GL server … is that the internal DHCP address or external IP as both could change or does it matter?

Try with whichever the FW is allowing to connect to the Graylog server.

When in doubt: try both :slight_smile:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.