Port redirect 514->1514 - Possible port forward rule issue

Hello everyone,

I have a Graylog 4.0.5 installation. I installed as per the Graylog documentation on Redhat 7.9, and all services seem to working correctly.

I am trying to send TCP Syslog logs to the server, using port 514.

Using TCPDump, I can see the packets reaching the server:

sudo tcpdump -i eth01 udp port 514 -vv -X

tcpdump: listening on eth01, link-type EN10MB (Ethernet), capture size 262144 bytes
09:49:34.754418 IP (tos 0x0, ttl 254, id 14343, offset 0, flags [none], proto UDP (17), length 86)
cod_ve_11_1_5.test.machine.com.59490 > vm01.test.machine.com.syslog: [udp sum ok] SYSLOG, length: 58
Facility local7 (23), Severity debug (7)
Msg: 74126968: Jul 8 09:49:34 CET: {1C000200}
0x0000: 3c31 3931 3e37 3431 3236 3936 383a 204a
0x0010: 756c 2020 3820 3039 3a34 393a 3334 2043
0x0020: 4554 3a20 2020 2020 2020 2020 2020 2020
0x0030: 7b31 4330 3030 3230 307d
0x0000: 4500 0056 3807 0000 fe11 be94 c0a8 4e05 E…V8…N.
0x0010: c0a8 f6a4 e862 0202 0042 4d0e 3c31 3931 …b…BM.<191
0x0020: 3e37 3431 3236 3936 383a 204a 756c 2020 >74126968:.Jul…
0x0030: 3820 3039 3a34 393a 3334 2043 4554 3a20 8.09:49:34.CET:.
0x0040: 2020 2020 2020 2020 2020 2020 7b31 4330 …{1C0
0x0050: 3030 3230 307d 00200}

I added permanent rules to the firewall service to redirect these 514 packets to port 1514:
sudo firewall-cmd --add-forward-port=port=514:proto=udp:toport=1514
sudo firewall-cmd --add-forward-port=port=514:proto=tcp:toport=1514
sudo firewall-cmd --runtime-to-permanent

And if I check the firewall configuration, it shows:

sudo firewall-cmd --list-all

public (active)
target: default
icmp-block-inversion: no
interfaces: eth01
services: dhcpv6-client snmp ssh
ports: 9000/tcp 8081/tcp 514/udp 514/tcp 1514/tcp 1514/udp
masquerade: no
forward-ports: port=514:proto=udp:toport=1514:toaddr=
rich rules:

I also grepped netstat for 514:

sudo netstat -antup | grep 514

tcp6 0 0 :::1514 :::* LISTEN 3138/java
udp6 0 0 :::1514 :::* 3138/java
udp6 0 0 :::1514 :::* 3138/java

Within Graylog I have set up an input with the following settings:
Bind address:
Port: 1514
Receive buffer size: 1048576
No Worker threads: 2

But I am getting Zero msg/s in the Throughput/Metrics of the Input.

Has anyone had a similar issue, and know of something else I can try?

I have tried making a TCPDump of port 1514 (sudo tcpdump -i ens192 udp port 1514 -vv -X
) but it doesn’t show any packets being captured. This leads me to beleive the port forwarding isn’t configured as it should be, although I followed a post on this forum which specified those port forwarding rules.

Thanks for any information you could provide.

Hello && Welcome

Are you able to use a different port then 514?

What type of input are you using?

Maybe something like this.

Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.