TCP requirement for syslog transfer

jibin1988 · ‎01-29-2020

Syslogs are sent on UDP port 514 towards Syslog-ng

But we have experienced if tcp for port 514 is not working/not open, syslogs are not transferred

As soon tcp is fixed, syslogs start transferring and validation is successful !

Can someone explain why it is like this/how this works?

bandit · ‎01-29-2020

You can can use netcat (nc) command to test sending messages to either TCP or UDP 514 or other ports on the Linux command line.

Example commands (replace localhost with your ip or fqdn) if not testing directly on the same server which hosts the syslog service.

udp test to localhost

echo -n "<14>mytesthost This is a syslog ***UDP 514*** Test" | nc -u -w5 -v localhost 514

tcp test to localhost

echo -n "<14>mytesthost This is a syslog ***TCP 514*** Test" | nc -w5 -v localhost 514

I also like this free testing tool for Windows (Essential NetTools) https://www.tamos.com/download/main/
alt text

jibin1988 · ‎01-30-2020

Hi Rob,

I did that and we found udp port is open and tcp is closed using nc command.

nc -vz 514 ---- Its connection time out
nc - vzu 514 ---- Its succeeded!!

So after this we opend tcp port as well and the logs started reporting.

nickhills · ‎01-30-2020

Right - but you are testing what RECEIVING ports are open - My comment is are you SURE you known what protocol syslog is being SENT on.

tcpdump the sending machine and see what traffic is being sent on 514.

If my comment helps, please give it a thumbs up!

gfreitas · ‎01-29-2020

Maybe you have a Load Balancer that health checks if TCP is working and if not it doesn't load balance the syslog traffic?

jibin1988 · ‎01-30-2020

Thanks @gfreitas for your input.

Yes we do have a LB in between, But how can we confirm that?

gfreitas · ‎01-30-2020

I would say you need to check with whoever configured the LB.
In general you can use tcpdump to monitor your syslog server and check for any packets arriving from the Load Balancer IPs on port 514 TCP. This might give you a confirmation that the LB is health checking the syslog server and therefore understanding it as down if no TCP connection is stablished.

nickhills · ‎01-29-2020

Syslog can be either TCP or UDP - are you sure that in your case that syslog was not using TCP transport instead of UDP?

If my comment helps, please give it a thumbs up!

isoutamo · ‎01-29-2020

Have you config of sending syslog client? Definitely it sounds like it sends events over tcp instead of udp.

R. Ismo

gcusello · ‎01-29-2020

Hi @jibin1988,
are you sure about this?
I have experienced many times that opening only UDP port (enabling UDP network input), syslogs arrive.

Another question, you speak about syslog-ng, but are you receiving syslogs using syslog-ng or Splunk input?

Ciao.
Giuseppe

jibin1988 · ‎01-29-2020

Hi Giuseppe ,

We have experienced this situation, Already UDP port 514 was open and still device was not reporting. after troubleshooting for long hours we opened TCP port and device started sending logs.

And yes we are using syslog-ng for collecting the logs not Splunk input.

Regards,
Jibin

gcusello · ‎01-29-2020

Hi @jibin1988,
in this case I'm not able to support you, you need a network expert not a Splunk expert!
At the same time, I hint to try the Splunk network inputs, I'm very satisfied!

Ciaoand next time.
Giuseppe

TCP requirement for syslog transfer

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...