Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Syslog forwarding with UDP#694

AnsweredbyNVivero
m1575 asked this question inFAQ
Jul 23, 2025· 2 comments· 6 replies
Discussion options

Our current firewall only supports syslog over UDP with port 514. I attempted to follow theSyslog Forwarding guidance in the documentation, exchanging TCP for UDP and specifying port 514/udp in the PublishPort line, but it doesn't seem to be working.
Specific things I changed:

  • Added integration for Custom UDP Logs instead of Custom TCP Logs
  • While configuring Custom UDP Logs, specified a listen port of 514 and a dataset name of udp.syslog
  • In/etc/containers/systemd/lme-fleet-server.container, I changed the PublishPort directive toPublishPort=8220:8220,514:514/udp
  • Created an rsyslog configuration/etc/rsyslog.d/60-forward-udp.conf with a forwarding directive of. @@my-lme-ip:514

Am I missing something? I'm not super familiar with rsyslog, podman, or elastic.

You must be logged in to vote

Did you restart Fleet after updating PublishPort to 1514? The container won’t bind to the new port until it’s restarted so that may be the issue. You can restart the service with the following commands:

sudo systemctl daemon-reexecsudo systemctl daemon-reloadsudo systemctl restart podman-lme-fleet-server.service

If that’s already been done and/or logs still aren’t showing up after restarting, run this to check if the agent inside the container is starting the UDP input or hitting errors:
podman logs lme-fleet-server | grep -i input

Replies: 2 comments 6 replies

Comment options

Based on what you shared, your setup looks correct for enabling syslog forwarding over UDP. There are a few things to confirm to make sure the updates you made take effect.

  1. If you haven't already done so, restart the container service to ensure the port mapping takes effect. You can use the following commands:
sudo systemctl daemon-reexecsudo systemctl daemon-reloadsudo systemctl restart podman-lme-fleet-server.service

  1. You will also need to check for any port conflicts to ensure nothing (like rsyslog) is already bound to UDP 514. If that's the case, you can have rsyslog receive on 514 and forward to an alternate UDP port that the container can listen on (e.g., 1514).

  2. Confirm traffic is hitting the host withsudo tcpdump -i any port 514

Let us know what you see and if you run into anymore issues.

You must be logged in to vote
1 reply
@m1575
Comment options

Thanks for the advice.

I changed the syslog forwarding to port 1514 in the Custom UDP Logs integration, the PublishPort directive, and in the rsyslog configuration file60-forward-udp.conf. I confirmed that my firewall is sending packets to my-lme-ip:1514. I also ran your recommended commands for restarting the container service.

When I runsudo tcpdump -i any port 514, these are my results:
Screenshot 2025-08-20 084156

Unfortunately, I'm still not seeing anything from my firewall IP or on port 1514 within the Kibana server.
Screenshot 2025-08-20 084336

Comment options

The tcpdump you ran was still checking port 514 and not 1514. Can you trysudo tcpdump -i any port 1514 and see if that works?

You must be logged in to vote
5 replies
@m1575
Comment options

Here's the results fromsudo tcpdump -i any port 1514:
image

@NVivero
Comment options

Do you see the logs in the Discover UI?

@m1575
Comment options

No, I still see nothing coming to port 1514.

image
@NVivero
Comment options

Did you restart Fleet after updating PublishPort to 1514? The container won’t bind to the new port until it’s restarted so that may be the issue. You can restart the service with the following commands:

sudo systemctl daemon-reexecsudo systemctl daemon-reloadsudo systemctl restart podman-lme-fleet-server.service

If that’s already been done and/or logs still aren’t showing up after restarting, run this to check if the agent inside the container is starting the UDP input or hitting errors:
podman logs lme-fleet-server | grep -i input

Answer selected bym1575
@m1575
Comment options

That worked. Thanks again for your help!

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Category
FAQ
Labels
None yet
2 participants
@m1575@NVivero
[8]ページ先頭
©2009-2025 Movatter.jp