I'm having problem sending syslog to my graylog server. Syslog is only sending if i disable firewall on host. Ports 514 and 1514 are enabled in firewall rules.
If firewall is enabled nc -zu graylog-server 514 / 1514 works ok.
Strange thing if I manually edit services.xml and run esxcli network firewall refresh nothing changes.
Please help
Moderator note: Moved to ESXi
Hi,
Can you list the syslog configuration?
esxcli system syslog config get
To enable syslog in the firewall,
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
Thanks for reply,
esxcli system syslog config get :
Default Network Retry Timeout: 180
Dropped Log File Rotation Size: 100
Dropped Log File Rotations: 10
Enforce SSLCertificates: false
Local Log Output: /scratch/log
Local Log Output Is Configured: true
Local Log Output Is Persistent: true
Local Logging Default Rotation Size: 1024
Local Logging Default Rotations: 8
Log To Unique Subdirectory: false
Message Queue Drop Mark: 90
Remote Host: udp://10.22.2.102:514,udp://10.22.2.102:1514
esxcli network firewall ruleset set --ruleset-id=syslog --enabled=true
esxcli network firewall refresh
Still no data on graylog server 😞 if firewall is enabled
Can you list the current firewall configuration?
esxcli network firewall ruleset rule list --ruleset-id=syslog
esxcli network firewall ruleset allowedip list --ruleset-id=syslog
esxcli network firewall ruleset rule list --ruleset-id=syslog
Ruleset Direction Protocol Port Type Port Begin Port End
------- --------- -------- --------- ---------- --------
syslog Outbound UDP Dst 514 514
syslog Outbound TCP Dst 514 514
syslog Outbound TCP Dst 1514 1514
esxcli network firewall ruleset allowedip list --ruleset-id=syslog
Ruleset Allowed IP Addresses
------- --------------------
syslog 10.22.2.0/24
I can see that UDP 1514 is not enabled in the firewall. Can you try and change your syslog settings to only send to UDP 514 and see if that works.
esxcli system syslog config set --loghost='udp://10.22.2.102:514'
esxcli system syslog config get
Default Network Retry Timeout: 180
Dropped Log File Rotation Size: 100
Dropped Log File Rotations: 10
Enforce SSLCertificates: false
Local Log Output: /scratch/log
Local Log Output Is Configured: true
Local Log Output Is Persistent: true
Local Logging Default Rotation Size: 1024
Local Logging Default Rotations: 8
Log To Unique Subdirectory: false
Message Queue Drop Mark: 90
Remote Host: udp://10.22.2.102:514
nc -zu 10.22.2.102 514
Connection to 10.22.2.102 514 port [udp/syslog] succeeded!
Still no data from syslog on graylog 😞