SOLVED! CentOs 7 minimal - Syslog received on port 5000 but not after a redirect fw rule from 514

Elastic Stack Logstash
1

Hi,
I'm running a minimal centos 7 setup and am trying to receive syslog into Elk. I have installed ELK with defaults and all three services are up.

Using port 5000 for logstash I have started to receive Syslog - sending from KiwiSyslogGen. I have a kibana dashboard that shows syslog entries counting up - Yaaay

So I now have placed the following firewall rules in to see if I can avoid being root user and redirect syslog from port 514 to 5000 and so keep receiving them. Only problem is I can use TCPDUMP to monitor 514 and see syslog arriving but nothing appears in my kibana dashboard. It must be my firewall rules...

Can anyone take a peek and let me know where I have stepped on a landmine:

first I put rules in to allow elasticsearch ports
sudo firewall-cmd --zone=public --add-port=9200/tcp --permanent
sudo firewall-cmd --zone=public --add-port=9300/tcp --permanent

Then I added rules to gain access remotely to kibana
Add a firewall redirect so port 80 goes to 5601 - allowing standard http to take you to kibana
sudo firewall-cmd --zone=public --add-port=80/tcp --permanent
sudo firewall-cmd --permanent --add-forward-port=port=80:proto=tcp:toport=5601

Next I tried to configure the firewall to allow syslog and to redirect it to port 5000 - so avoiding the need to run logstash with root privileges
sudo firewall-cmd --zone=public --add-port=514/tcp --permanent
sudo firewall-cmd --zone=public --add-port=514/udp --permanent
#UDP Rule
sudo firewall-cmd --add-forward-port=port=514:proto=udp:toport=5000:toaddr=127.0.0.1 --permanent
#TCP Rule
sudo firewall-cmd --add-forward-port=port=514:proto=tcp:toport=5000:toaddr=127.0.0.1 --permanent

Eventually after restarting firewalld I got the following status output:

public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 9200/tcp 9300/tcp 80/tcp 514/tcp 514/udp
protocols:
masquerade: no
forward-ports: port=80:proto=tcp:toport=5601:toaddr=
port=514:proto=udp:toport=5000:toaddr=127.0.0.1
port=514:proto=tcp:toport=5000:toaddr=127.0.0.1
source-ports:
icmp-blocks:
rich rules:

Any help for this newbie would be greatly appreciated,

UPDATE: MY ERROR WAS IN ADDING toaddr TO THE 514 REDIRECTS. I REMOVED THAT AND ALL IS WELL!

Thanks
QR

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.