Hey Guys, I’m using NXlog to forward events. Works fine internally but if I put it on a remote machine and forward the ports to doesn’t seem to reach the server. The conf file says UDP 12201 and I’m forwarding it but nothing … any ideas anyone ?
hi @capsyslog
can you please provide more info?
How are you forwarding the logs from the remote machine to the GL server?
Is the GL server behind a firewall? if so, are the connections between remote and local allowed?
Is tcpdump showing if something is received on the GL server, port 12201, for the remote system?
TIA
Hey @m_mlk,
Thanks for coming back to me. Going on a guide I found regarding NXlog, this is the output in my conf file:
Module om_udp Host 192.168.1.100 Port 12201 #Exec to_syslog_snare(); OutputType GELFWorks fine internally but if I repolace the IP with my static external and forward the port to the internal IP … nothing …
hello again,
is there a firewall between both servers?
Yup, but I’ve forwarded on UDP 12201 from the WAN to in the internal IP … nothing gets there … I was thinking it might be to do with a timing, would a log take longer than usual to forward ?
Nope. As long as the firewall allows the connection between point A and point B, you should see messages hitting your GL server…
Can you run this as root on the GL server?
First, check that port 12201 is actually listening:
lsof -Pni:12201
You should see something similar to this:
$ lsof -Pni:12201
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 318793 graylog 127u IPv6 98560532 0t0 UDP *:12201
java 318793 graylog 130u IPv6 98560534 0t0 UDP *:12201
java 318793 graylog 135u IPv6 98560537 0t0 UDP *:12201
java 318793 graylog 136u IPv6 98559768 0t0 UDP *:12201
Then check if something reaches the GL server:
tcpdump -vnX src REMOTE-IP and port 12201
replace REMOTE-IP with, well, the remote server’s IP 
If you see nothing, something is wrong with the firewall configuration.
HTH
1 Like
Hey @m_mlk,
Thanks for the help. lsof gives me this so that seems ok:
root@celsyslog:/home/capsyslog# lsof -Pni:12201
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 6176 graylog 94u IPv6 100417 0t0 UDP *:12201
java 6176 graylog 96u IPv6 98869 0t0 UDP *:12201
java 6176 graylog 97u IPv6 98870 0t0 UDP *:12201
java 6176 graylog 98u IPv6 98871 0t0 UDP *:12201
The GL server is the only Ubuntu machine I have though … do you know a Win cmd to perform the dump?
Hi @capsyslog
the tcpdump I showed you is to be executed on the Graylog server, so you can check whether the remote Windows machine is actually reaching GL on port 12201.
I hope it’s clearer now.
Cheers
Oh ok, the IP of the remote machine trying to reach the GL server … is that the internal DHCP address or external IP as both could change or does it matter?
Try with whichever the FW is allowing to connect to the Graylog server.
When in doubt: try both
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.