Syslog generating logfiles, not sending to remote server
-
said in Syslog generating logfiles, not sending to remote server:
Do you see a state opened for port 514?
-
@Gertjan we are using a rapid7 collector listening on port 10000
I can see no packet popping up on the collector ip address when i run the nc command I see no packet from the pfsense to the collector. Nothing in packet capture either on the pfsense.
If i run the same nc command from another server i see the packet in tcpdump on the collector and in packet capture on the pfsense.
-
@stephenw10 No state for 514 udp to the syslog server
-
@justincm said in Syslog generating logfiles, not sending to remote server:
If i run the same nc command from another server ...
to where ?
Not 'to' pfSense, right, but to another server, like my example : 192.168.1.4, which is my syslog 'collect' server.
In this case, pfSense can't see - you can't packet capture, this information as it never reached pfSense (the pfSense IP)I was executing this command :
echo -n "hello" | nc -4u -w1 192.168.1.4 514from the pfSense command line to my syslog server which has 192.168.1.1 (my pfSense IP is 192.168.1.1).
If you run
echo -n "hello" | nc -4u -w1 192.168.1.4 514from pfSense and you can't packet capture that traffic, then the issue isn't 'syslog' as 'nc' isn't (using the pfSense) syslog.
-
I am running the nc command from the pfsense and another server using the syslog server in the command.
from the pfsense, I see no packets reaching the syslog server using tcpdump or see any packets in packet trace on the pfsense itself.
When i run the same nc command from another server, I see the packet using tcpdump on the syslog server and the traffic using packet capture on the pfsense monitoring traffic to the syslog server.
-
Ok so do you see a state on port 10000 if that's what it's configured for?
If not, and nc also fails, I would check the routing table to make sure the expected route to the syslog server is present.
-
@stephenw10 No state for port 10000
route does exist for the interface on the syslog server subnet.
-
Just to be clear you mentioned port 514 in your first post but your syslog server is configured to listen on port 10000? Is pfSense actually configured to use port 10000?
-
the remote logging is setup to send to port IP_ADDRESS:10000.
on the syslog server I can see in netstat that port 10000 is open
-
OK cool. Yet you are not seeing either states on port 10000 or packets leaving pfSense on port 10000 when new logs are being generated locally?
-
Correct
-
@justincm said in Syslog generating logfiles, not sending to remote server:
on the syslog server I can see in netstat that port 10000 is open
Nuance : netstat will show a process that is 'bound' = listen on that port. If all goes well, it the syslog collector port.
That doesn't mean it will actually receive traffic on that port, as the system firewall can still block incoming traffic.Example : on pfSense :
[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'nginx' root nginx 28252 5 tcp4 *:443 *:* root nginx 28252 8 tcp4 *:80 *:* root nginx 28139 5 tcp4 *:443 *:* root nginx 28139 8 tcp4 *:80 *:* root nginx 27732 5 tcp4 *:443 *:* root nginx 27732 8 tcp4 *:80 *:*This tells me that nginx, the pfSense web server GUI listen on all (!!) existing pfSense interfaces, and that includes the WAN interface(s).
This doesn't mean that I, and the entire world, can access the pfSense GUI from WAN, as WAN firewall rules won't allow this to happen.
