Port redirect 514->1514 - Possible port forward rule issue

Graylog Central (peer support)
1

Hello everyone,

I have a Graylog 4.0.5 installation. I installed as per the Graylog documentation on Redhat 7.9, and all services seem to working correctly.

I am trying to send TCP Syslog logs to the server, using port 514.

Using TCPDump, I can see the packets reaching the server:

sudo tcpdump -i eth01 udp port 514 -vv -X

tcpdump: listening on eth01, link-type EN10MB (Ethernet), capture size 262144 bytes
09:49:34.754418 IP (tos 0x0, ttl 254, id 14343, offset 0, flags [none], proto UDP (17), length 86)
cod_ve_11_1_5.test.machine.com.59490 > vm01.test.machine.com.syslog: [udp sum ok] SYSLOG, length: 58
Facility local7 (23), Severity debug (7)
Msg: 74126968: Jul 8 09:49:34 CET: {1C000200}
0x0000: 3c31 3931 3e37 3431 3236 3936 383a 204a
0x0010: 756c 2020 3820 3039 3a34 393a 3334 2043
0x0020: 4554 3a20 2020 2020 2020 2020 2020 2020
0x0030: 7b31 4330 3030 3230 307d
0x0000: 4500 0056 3807 0000 fe11 be94 c0a8 4e05 E…V8…N.
0x0010: c0a8 f6a4 e862 0202 0042 4d0e 3c31 3931 …b…BM.<191
0x0020: 3e37 3431 3236 3936 383a 204a 756c 2020 >74126968:.Jul…
0x0030: 3820 3039 3a34 393a 3334 2043 4554 3a20 8.09:49:34.CET:.
0x0040: 2020 2020 2020 2020 2020 2020 7b31 4330 …{1C0
0x0050: 3030 3230 307d 00200}

I added permanent rules to the firewall service to redirect these 514 packets to port 1514:
sudo firewall-cmd --add-forward-port=port=514:proto=udp:toport=1514
sudo firewall-cmd --add-forward-port=port=514:proto=tcp:toport=1514
sudo firewall-cmd --runtime-to-permanent

And if I check the firewall configuration, it shows:

sudo firewall-cmd --list-all

public (active)
target: default
icmp-block-inversion: no
interfaces: eth01
sources:
services: dhcpv6-client snmp ssh
ports: 9000/tcp 8081/tcp 514/udp 514/tcp 1514/tcp 1514/udp
protocols:
masquerade: no
forward-ports: port=514:proto=udp:toport=1514:toaddr=
port=514:proto=tcp:toport=1514:toaddr=
source-ports:
icmp-blocks:
rich rules:

I also grepped netstat for 514:

sudo netstat -antup | grep 514

tcp6 0 0 :::1514 :::* LISTEN 3138/java
udp6 0 0 :::1514 :::* 3138/java
udp6 0 0 :::1514 :::* 3138/java

Within Graylog I have set up an input with the following settings:
Bind address: 0.0.0.0
Port: 1514
Receive buffer size: 1048576
No Worker threads: 2

But I am getting Zero msg/s in the Throughput/Metrics of the Input.

Has anyone had a similar issue, and know of something else I can try?

I have tried making a TCPDump of port 1514 (sudo tcpdump -i ens192 udp port 1514 -vv -X
) but it doesn’t show any packets being captured. This leads me to beleive the port forwarding isn’t configured as it should be, although I followed a post on this forum which specified those port forwarding rules.

Thanks for any information you could provide.

2

Hello && Welcome

Are you able to use a different port then 514?

What type of input are you using?

Maybe something like this.

image
image491×561 21.2 KB

Hope that helps

3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.