VMware Cloud Community
mtxx80
Contributor
Contributor

Firewall rules update problem

I'm having problem sending syslog to my graylog server. Syslog is only sending if i disable firewall on host. Ports 514 and 1514 are enabled in firewall rules.

If firewall is enabled nc -zu graylog-server 514 / 1514 works ok.

Strange thing if I manually edit  services.xml and run esxcli network firewall refresh nothing changes.

Please help

Tags (2)
Reply
0 Kudos
7 Replies
scott28tt
VMware Employee
VMware Employee

Moderator note: Moved to ESXi


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
MartinGustafsso
VMware Employee
VMware Employee

Hi,

Can you list the syslog configuration?

esxcli system syslog config get

To enable syslog in the firewall,

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

esxcli network firewall refresh

Reply
0 Kudos
mtxx80
Contributor
Contributor

Thanks for reply,

esxcli system syslog config get :

Default Network Retry Timeout: 180

Dropped Log File Rotation Size: 100

Dropped Log File Rotations: 10

Enforce SSLCertificates: false

Local Log Output: /scratch/log

Local Log Output Is Configured: true

Local Log Output Is Persistent: true

Local Logging Default Rotation Size: 1024

Local Logging Default Rotations: 8

Log To Unique Subdirectory: false

Message Queue Drop Mark: 90

Remote Host: udp://10.22.2.102:514,udp://10.22.2.102:1514

esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

esxcli network firewall refresh

Still no data on graylog server 😞 if firewall is enabled

Reply
0 Kudos
MartinGustafsso
VMware Employee
VMware Employee

Can you list the current firewall configuration?

esxcli network firewall ruleset rule list --ruleset-id=syslog

esxcli network firewall ruleset allowedip list --ruleset-id=syslog

Reply
0 Kudos
mtxx80
Contributor
Contributor

esxcli network firewall ruleset rule list --ruleset-id=syslog

Ruleset  Direction  Protocol  Port Type  Port Begin  Port End

-------  ---------  --------  ---------  ----------  --------

syslog   Outbound   UDP       Dst               514       514

syslog   Outbound   TCP       Dst               514       514

syslog   Outbound   TCP       Dst              1514      1514

esxcli network firewall ruleset allowedip list --ruleset-id=syslog

Ruleset  Allowed IP Addresses

-------  --------------------

syslog   10.22.2.0/24

Reply
0 Kudos
MartinGustafsso
VMware Employee
VMware Employee

I can see that UDP 1514 is not enabled in the firewall. Can you try and change your syslog settings to only send to UDP 514 and see if that works.

esxcli system syslog config set --loghost='udp://10.22.2.102:514'

Reply
0 Kudos
mtxx80
Contributor
Contributor

esxcli system syslog config get

   Default Network Retry Timeout: 180

   Dropped Log File Rotation Size: 100

   Dropped Log File Rotations: 10

   Enforce SSLCertificates: false

   Local Log Output: /scratch/log

   Local Log Output Is Configured: true

   Local Log Output Is Persistent: true

   Local Logging Default Rotation Size: 1024

   Local Logging Default Rotations: 8

   Log To Unique Subdirectory: false

   Message Queue Drop Mark: 90

   Remote Host: udp://10.22.2.102:514

nc -zu 10.22.2.102 514

Connection to 10.22.2.102 514 port [udp/syslog] succeeded!

Still no data from syslog on graylog 😞

Reply
0 Kudos