Syslog generating logfiles, not sending to remote server

justincm

@stephenw10 No state for 514 udp to the syslog server

Gertjan

@justincm said in Syslog generating logfiles, not sending to remote server:

If i run the same nc command from another server ...

to where ?
Not 'to' pfSense, right, but to another server, like my example : 192.168.1.4, which is my syslog 'collect' server.
In this case, pfSense can't see - you can't packet capture, this information as it never reached pfSense (the pfSense IP)

I was executing this command :

echo -n "hello" | nc -4u -w1 192.168.1.4 514

from the pfSense command line to my syslog server which has 192.168.1.1 (my pfSense IP is 192.168.1.1).

If you run

echo -n "hello" | nc -4u -w1 192.168.1.4 514

from pfSense and you can't packet capture that traffic, then the issue isn't 'syslog' as 'nc' isn't (using the pfSense) syslog.

justincm

I am running the nc command from the pfsense and another server using the syslog server in the command.

from the pfsense, I see no packets reaching the syslog server using tcpdump or see any packets in packet trace on the pfsense itself.

When i run the same nc command from another server, I see the packet using tcpdump on the syslog server and the traffic using packet capture on the pfsense monitoring traffic to the syslog server.

stephenw10

Ok so do you see a state on port 10000 if that's what it's configured for?

If not, and nc also fails, I would check the routing table to make sure the expected route to the syslog server is present.

justincm

@stephenw10 No state for port 10000

route does exist for the interface on the syslog server subnet.

stephenw10

Just to be clear you mentioned port 514 in your first post but your syslog server is configured to listen on port 10000? Is pfSense actually configured to use port 10000?

justincm

@stephenw10

the remote logging is setup to send to port IP_ADDRESS:10000.

on the syslog server I can see in netstat that port 10000 is open

stephenw10

OK cool. Yet you are not seeing either states on port 10000 or packets leaving pfSense on port 10000 when new logs are being generated locally?

justincm

@stephenw10

Correct

Gertjan

@justincm said in Syslog generating logfiles, not sending to remote server:

on the syslog server I can see in netstat that port 10000 is open

Nuance : netstat will show a process that is 'bound' = listen on that port. If all goes well, it the syslog collector port.
That doesn't mean it will actually receive traffic on that port, as the system firewall can still block incoming traffic.

Example : on pfSense :

[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: sockstat -4 | grep 'nginx'
root     nginx      28252 5   tcp4   *:443                 *:*
root     nginx      28252 8   tcp4   *:80                  *:*
root     nginx      28139 5   tcp4   *:443                 *:*
root     nginx      28139 8   tcp4   *:80                  *:*
root     nginx      27732 5   tcp4   *:443                 *:*
root     nginx      27732 8   tcp4   *:80                  *:*

This tells me that nginx, the pfSense web server GUI listen on all (!!) existing pfSense interfaces, and that includes the WAN interface(s).
This doesn't mean that I, and the entire world, can access the pfSense GUI from WAN, as WAN firewall rules won't allow this to happen.