Cannot ingest syslog #1668
-
|
I am trying to send syslog from a pfsense firewall on port UDP 514 to my main SO 2.3.2. I ran so-allow to allow the source ip address to the syslog role. However I don't see the logs show up in Kibana. If I do a tcpdump I see the following error: ICMP [hostname] udp port syslog unreachable, length 92 The latest doc mention we just need to run so-allow to start accepting syslog but I am wondering if there is any further configuration needed? Update: if I run netstat I do not see the main SO listening on port 514. How do I get it to start listening on that port beyond so-allow? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
What does /opt/so/conf/filebeat/filebeat.yml look like on the manager? |
Beta Was this translation helpful? Give feedback.
-
|
This is the output of /opt/so/conf/filebeat/etc/filebeat.yml on the manager: |
Beta Was this translation helpful? Give feedback.
-
|
What is the output of |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for getting back to me - I think this is was user error....I did a fresh install again and made sure I had a Sensor and a Search node running and now the main server accepts syslog. I didn't have the search node running previously so I think that was causing my issues. |
Beta Was this translation helpful? Give feedback.
What is the output of
so-firewall includedhosts syslog?