topic Re: TCP requirement for syslog transfer in Getting Data In

TCP requirement for syslog transfer

jibin1988 — Wed, 29 Jan 2020 08:08:20 GMT

Syslogs are sent on UDP port 514 towards Syslog-ng

But we have experienced if tcp for port 514 is not working/not open, syslogs are not transferred

As soon tcp is fixed, syslogs start transferring and validation is successful !

Can someone explain why it is like this/how this works?

Re: TCP requirement for syslog transfer

gcusello — Wed, 29 Jan 2020 09:13:05 GMT

Hi @jibin1988,
are you sure about this?
I have experienced many times that opening only UDP port (enabling UDP network input), syslogs arrive.

Another question, you speak about syslog-ng, but are you receiving syslogs using syslog-ng or Splunk input?

Ciao.
Giuseppe

Re: TCP requirement for syslog transfer

jibin1988 — Wed, 29 Jan 2020 12:22:38 GMT

Hi Giuseppe ,

We have experienced this situation, Already UDP port 514 was open and still device was not reporting. after troubleshooting for long hours we opened TCP port and device started sending logs.

And yes we are using syslog-ng for collecting the logs not Splunk input.

Regards,
Jibin

Re: TCP requirement for syslog transfer

gcusello — Wed, 29 Jan 2020 12:32:11 GMT

Hi @jibin1988,
in this case I'm not able to support you, you need a network expert not a Splunk expert!
At the same time, I hint to try the Splunk network inputs, I'm very satisfied!

Ciaoand next time.
Giuseppe

Re: TCP requirement for syslog transfer

nickhills — Wed, 29 Jan 2020 12:33:21 GMT

Syslog can be either TCP or UDP - are you sure that in your case that syslog was not using TCP transport instead of UDP?

Re: TCP requirement for syslog transfer

gfreitas — Wed, 29 Jan 2020 13:57:01 GMT

Maybe you have a Load Balancer that health checks if TCP is working and if not it doesn't load balance the syslog traffic?

Re: TCP requirement for syslog transfer

isoutamo — Wed, 29 Jan 2020 21:35:43 GMT

Have you config of sending syslog client? Definitely it sounds like it sends events over tcp instead of udp.

R. Ismo

Re: TCP requirement for syslog transfer

bandit — Thu, 30 Jan 2020 05:38:12 GMT

You can can use netcat (nc) command to test sending messages to either TCP or UDP 514 or other ports on the Linux command line.

Example commands (replace localhost with your ip or fqdn) if not testing directly on the same server which hosts the syslog service.

udp test to localhost

echo -n "<14>mytesthost This is a syslog ***UDP 514*** Test" | nc -u -w5 -v localhost 514

tcp test to localhost

echo -n "<14>mytesthost This is a syslog ***TCP 514*** Test" | nc -w5 -v localhost 514

I also like this free testing tool for Windows (Essential NetTools) https://www.tamos.com/download/main/

Re: TCP requirement for syslog transfer

jibin1988 — Thu, 30 Jan 2020 09:29:46 GMT

Hi Rob,

I did that and we found udp port is open and tcp is closed using nc command.

nc -vz 514 ---- Its connection time out
nc - vzu 514 ---- Its succeeded!!

So after this we opend tcp port as well and the logs started reporting.

Re: TCP requirement for syslog transfer

jibin1988 — Thu, 30 Jan 2020 09:32:50 GMT

Thanks @gfreitas for your input.

Yes we do have a LB in between, But how can we confirm that?

Re: TCP requirement for syslog transfer

gfreitas — Thu, 30 Jan 2020 09:46:18 GMT

I would say you need to check with whoever configured the LB.
In general you can use tcpdump to monitor your syslog server and check for any packets arriving from the Load Balancer IPs on port 514 TCP. This might give you a confirmation that the LB is health checking the syslog server and therefore understanding it as down if no TCP connection is stablished.

Re: TCP requirement for syslog transfer

nickhills — Thu, 30 Jan 2020 09:55:49 GMT

Right - but you are testing what RECEIVING ports are open - My comment is are you SURE you known what protocol syslog is being SENT on.

tcpdump the sending machine and see what traffic is being sent on 514.