I'm having trouble getting rsyslog to send logs to my remote ElasticSearch server (10.0.72.20) through a WireGuard VPN. I can confirm that netcat and telnet work fine for checking connections, but rsyslog seems to be blocked by iptables. Here are some of the commands and rules I've tried. I added an iptables rule to allow traffic to the ElasticSearch IP, but the kernel logs show it's still being denied. Any ideas on why this is happening?
5 Answers
It's odd that you're seeing logs in Kibana despite iptables dropping them. Maybe look into the log prefix that's being used? It might give you more insights into what's going on.
Can you share your complete iptables ruleset? The problem might be that you have other rules above your ACCEPT rule that could be limiting access. Try using 'iptables -I OUTPUT -d 10.0.72.0/24 -j ACCEPT' to insert the rule at the top and see if that helps.
I've modified my rules and included both source and destination, and now I'm receiving logs in Kibana, even though the kernel still shows denied messages.
Are you running those commands as root? Just checking since sometimes permission issues can affect the outcome. Also, does it work when you test with other user accounts?
Yes, it works with the Ansible user as well.
I just wanted to say that the previous response might not be very helpful; sometimes the simplest suggestions don’t address the core of the problem.
I did some digging on this, and it seems like a common problem when iptables blocks outgoing traffic to services like Elasticsearch. Adding an explicit ACCEPT rule should normally solve it. Just make sure you restart rsyslog after the changes to see the updates reflected in the logs. Here's a breakdown of the usual steps to troubleshoot issues like this.
Yeah, I noticed that too. It's confusing because the logs indicate a block, but things appear to be working.