Hi arnydo,
It will not show it is listening, but you do need to make sure 514 is permitted on the firewall, then restart the firewalld service. I have it setup and events are flowing to 514 and forwarded to 5514, but only 5514 is actually listening.
If that doesn't resolve your issue, then you may need to check your zones in firewall-cmd and verify that you are adding the forwarding to the appropriate zone where the interface is attached. For instance, I have all my internal syslog forwarding to the interface tied to my INTERNAL zone. So, if the zone isn't your default, you'll need to specify it when you create the port forwarding. You also may need to enable masquerade to permit forwarding locally. Below is an example of my zone configuration and some of the commands required to set it up this way.
Additionally, you can also remove the 127.0.0.1 from the setting, if it is null it will default back to localhost, see below:
Example of my complete updated config where I used the internal zone for my interface:
CENTOS 7.3 CONFIG
Specify which interface should default to the applicable zone.
# Edit network config at /etc/sysconfig/network-scripts/ifcfg-interfacename
# Add [ZONE=internal] without brackets
Config Firewall ACLs
sudo firewall-cmd --set-default-zone=internal
sudo firewall-cmd --permanent --zone=internal --add-port=514/tcp #syslog port
sudo firewall-cmd --permanent --zone=internal --add-port=514/udp #syslog port
sudo firewall-cmd --permanent --zone=internal --add-port=5514/tcp #syslog forwarded port
sudo firewall-cmd --permanent --zone=internal --add-port=5514/udp #syslog forwarded port
sudo firewall-cmd --permanent --zone=internal --add-port=5600/tcp #kibana
sudo firewall-cmd --permanent --zone=internal --add-port=5601/tcp #kibana
sudo firewall-cmd --permanent --zone=internal --add-port=9600/tcp #logstash
sudo firewall-cmd --permanent --zone=internal --add-port=9200/tcp #elasticsearch
sudo firewall-cmd --permanent --zone=internal --add-port=9300/tcp #elasticsearch
sudo firewall-cmd --zone=internal --add-masquerade --permanent
sudo systemctl restart network.service
sudo systemctl restart firewalld
sudo firewall-cmd --add-forward-port=port=514:proto=udp:toport=5514 --permanent
sudo firewall-cmd --add-forward-port=port=514:proto=tcp:toport=5514 --permanent
sudo systemctl restart firewalld
firewall-cmd --list-all-zones
firewall-cmd --zone=internal --list-all
firewall-cmd --zone=internal --query-masquerade
LOGSTASH SYSLOG INPUT CONFIG
[elasticsearch@blf-logstash-001 ~]$ cat /etc/logstash/conf.d/20-network-syslog.conf
input {
udp {
port => 5514
type => network
}
tcp {
port => 5514
type => network
}
}