I'm running a minimal centos 7 setup and am trying to receive syslog into Elk. I have installed ELK with defaults and all three services are up.
Using port 5000 for logstash I have started to receive Syslog - sending from KiwiSyslogGen. I have a kibana dashboard that shows syslog entries counting up - Yaaay
So I now have placed the following firewall rules in to see if I can avoid being root user and redirect syslog from port 514 to 5000 and so keep receiving them. Only problem is I can use TCPDUMP to monitor 514 and see syslog arriving but nothing appears in my kibana dashboard. It must be my firewall rules...
Can anyone take a peek and let me know where I have stepped on a landmine:
first I put rules in to allow elasticsearch ports
sudo firewall-cmd --zone=public --add-port=9200/tcp --permanent
sudo firewall-cmd --zone=public --add-port=9300/tcp --permanent
Then I added rules to gain access remotely to kibana
Add a firewall redirect so port 80 goes to 5601 - allowing standard http to take you to kibana
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=5601
Next I tried to configure the firewall to allow syslog and to redirect it to port 5000 - so avoiding the need to run logstash with root privileges
sudo firewall-cmd --zone=public --add-port=514/tcp --permanent
sudo firewall-cmd --zone=public --add-port=514/udp --permanent
sudo firewall-cmd --add-forward-port=port=514:proto=udp:toport=5000:toaddr=127.0.0.1 --permanent
sudo firewall-cmd --add-forward-port=port=514:proto=tcp:toport=5000:toaddr=127.0.0.1 --permanent
Eventually after restarting firewalld I got the following status output:
services: ssh dhcpv6-client
ports: 9200/tcp 9300/tcp 80/tcp 514/tcp 514/udp
Any help for this newbie would be greatly appreciated,
UPDATE: MY ERROR WAS IN ADDING toaddr TO THE 514 REDIRECTS. I REMOVED THAT AND ALL IS WELL!