In my design, there are collectors placed in security zones, receiving logs from a great number of Linux servers and forwarding the incoming to a Master Collector. This works perfectly fine :) My Collector's Input is defined like:

<Extension _syslog>
    Module    xm_syslog
<Input in1>
    Module    im_tcp
    Port    514
    Exec    parse_syslog();

but with one exception: In one of the zones I'm supposed to receive logs from the firewall - I can see in the nxlog.log the connection is accepted, but then it says

connection accepted from [X.X.X:X]:port
couldn't bind tcp socket to [X.X.X.X]:514; cannot assign requested address

and I don't get any firewall logs.

What is the proper fix for this?

AskedOctober 14, 2020 - 4:57pm

Comments (2)

  • konstantinos's picture

    Hi there,

    Any chance there is another process listening to 514/TCP on that server? You can check by running netstat -tlnp | grep 514. Could you also please share your kernel version uname -r? Thanks!


  • DS_534595's picture

    Thanks for reply @konstantinos,

    uname -r :

    netstat is not installed, so I use ss

    • there is only one LISTEN

    LISTEN 0 128 *.514 *.* users:(("nxlog",pid=28739,fd=18))

    Does it make a difference that I've defined the Exec parse_syslog(); and the Linux servers send in syslog_ietf, but the FortiGate firewall does not?

Answers (0)