Trouble getting syslog data from external source

[jgiuliano2024]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

64

Storage for /

1TB

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Went into firewall, host groups, syslog. added external sources IP to master node it is a manager search node saved changes and syncd all nodes. doing a tcpdump watching the traffic see this

21:23:35.629173 84:b8:02:dd:37:70 > 00:50:56:8c:d5:8a, ethertype IPv4 (0x0800), length 103: 192.168.50.20.56992 > 10.195.6.100.syslog: SYSLOG user.notice, length: 61
21:23:35.629291 00:50:56:8c:d5:8a > 84:b8:02:dd:37:70, ethertype IPv4 (0x0800), length 131: 10.195.6.100 > 192.168.50.20: ICMP 10.195.6.100 udp port syslog unreachable, length 97

Ran iptables -L

ACCEPT     tcp  --  192.168.50.20        anywhere             tcp dpt:shell
ACCEPT     udp  --  192.168.50.20        anywhere             udp dpt:syslog

Did an nmap scan and get this

514 UDP Closed

I am getting syslog data from other systems just fine.

The firewall did have an issue a month ago from adding a custom port group which got sorted out by removing it.

Any help would be great

Thanks
Joe

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[InfosecGoon]

These hosts are on different subnets -- are there any other security controls between them? An internal firewall, a software firewall in your virtualization environment, anything like that?

[jgiuliano2024]

Yes there are firewalls they have been opened up to allow the traffic. I test with another system on the same subnet as my Master node and got the same message in the tcpdump

16:46:04.873277 00:50:56:88:09:b1 > 00:50:56:8c:d5:8a, ethertype IPv4 (0x0800), length 186: 10.195.6.102.38145 > 10.195.6.100.syslog: SYSLOG local0.info, length: 144
16:46:04.873382 00:50:56:8c:d5:8a > 00:50:56:88:09:b1, ethertype IPv4 (0x0800), length 214: 10.195.6.100 > 10.195.6.102: ICMP 10.195.6.100 udp port syslog unreachable, length 180

It seems something is wrong with SO firewall

When I run a scan on it shows open but filtered

PORT STATE SERVICE
514/udp open|filtered syslog

[InfosecGoon]

Have you modified the Agent Policy for your Manager at all in Fleet? It should be accepting syslog by default.

[jgiuliano2024]

No I have not. I did try an experiment by allowing syslog to one of my sensors and that is working a netstat shows the sensor listening on port 514 as where the master is not.

[jgiuliano2024]

Not fixed seems the Masters firewall has an issue that is not fixable without a reinstall. It is working from one of the sensors that firewall does allow traffic in on port 514.