7 Replies Latest reply on Aug 9, 2019 12:43 AM by mtxx80

    Firewall rules update problem

    mtxx80 Lurker

      I'm having problem sending syslog to my graylog server. Syslog is only sending if i disable firewall on host. Ports 514 and 1514 are enabled in firewall rules.

      If firewall is enabled nc -zu graylog-server 514 / 1514 works ok.

      Strange thing if I manually edit  services.xml and run esxcli network firewall refresh nothing changes.

       

      Please help

        • 1. Re: Firewall rules update problem
          scott28tt Champion
          Community WarriorsUser ModeratorsVMware Employees

          Moderator note: Moved to ESXi

          • 2. Re: Firewall rules update problem
            MartinGustafsson Hot Shot
            vExpertVMware Employees

            Hi,

             

            Can you list the syslog configuration?

            esxcli system syslog config get

             

            To enable syslog in the firewall,

            esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

            esxcli network firewall refresh

            • 3. Re: Firewall rules update problem
              mtxx80 Lurker

              Thanks for reply,

               

              esxcli system syslog config get :

               

              Default Network Retry Timeout: 180

              Dropped Log File Rotation Size: 100

              Dropped Log File Rotations: 10

              Enforce SSLCertificates: false

              Local Log Output: /scratch/log

              Local Log Output Is Configured: true

              Local Log Output Is Persistent: true

              Local Logging Default Rotation Size: 1024

              Local Logging Default Rotations: 8

              Log To Unique Subdirectory: false

              Message Queue Drop Mark: 90

              Remote Host: udp://10.22.2.102:514,udp://10.22.2.102:1514

               

              esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true

              esxcli network firewall refresh

               

              Still no data on graylog server :-( if firewall is enabled

              • 4. Re: Firewall rules update problem
                MartinGustafsson Hot Shot
                vExpertVMware Employees

                Can you list the current firewall configuration?

                 

                esxcli network firewall ruleset rule list --ruleset-id=syslog

                esxcli network firewall ruleset allowedip list --ruleset-id=syslog

                • 5. Re: Firewall rules update problem
                  mtxx80 Lurker

                  esxcli network firewall ruleset rule list --ruleset-id=syslog

                   

                  Ruleset  Direction  Protocol  Port Type  Port Begin  Port End

                  -------  ---------  --------  ---------  ----------  --------

                  syslog   Outbound   UDP       Dst               514       514

                  syslog   Outbound   TCP       Dst               514       514

                  syslog   Outbound   TCP       Dst              1514      1514

                   

                   

                  esxcli network firewall ruleset allowedip list --ruleset-id=syslog

                   

                  Ruleset  Allowed IP Addresses

                  -------  --------------------

                  syslog   10.22.2.0/24

                  • 6. Re: Firewall rules update problem
                    MartinGustafsson Hot Shot
                    VMware EmployeesvExpert

                    I can see that UDP 1514 is not enabled in the firewall. Can you try and change your syslog settings to only send to UDP 514 and see if that works.

                    esxcli system syslog config set --loghost='udp://10.22.2.102:514'

                    • 7. Re: Firewall rules update problem
                      mtxx80 Lurker

                      esxcli system syslog config get

                       

                         Default Network Retry Timeout: 180

                         Dropped Log File Rotation Size: 100

                         Dropped Log File Rotations: 10

                         Enforce SSLCertificates: false

                         Local Log Output: /scratch/log

                         Local Log Output Is Configured: true

                         Local Log Output Is Persistent: true

                         Local Logging Default Rotation Size: 1024

                         Local Logging Default Rotations: 8

                         Log To Unique Subdirectory: false

                         Message Queue Drop Mark: 90

                         Remote Host: udp://10.22.2.102:514

                       

                      nc -zu 10.22.2.102 514

                       

                      Connection to 10.22.2.102 514 port [udp/syslog] succeeded!

                       

                       

                      Still no data from syslog on graylog :-(