Unable to Bind port '514' due to to [(98)-(Address already in use)]
Andrehens Chicfici
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>XXX.XXX.XXX.XXX/24</allowed-ips>
<local_ip>10.122.0.252</local_ip>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> XXX.XXX.XXX.XXX/24 </allowed-ips>
<local_ip>XXX.XXX.XXX.XXX</local_ip>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> XXX.XXX.XXX.XXX/24</allowed-ips>
<local_ip> XXX.XXX.XXX.XXX </local_ip>
</remote>
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips> XXX.XXX.XXX.XXX/24 </allowed-ips>
<local_ip> XXX.XXX.XXX.XXX </local_ip>
</remote>
victor....@wazuh.com
Hello,
Indeed, the error you encountered is due to using port 514 multiple times in your configuration.
You have two options to resolve this:
Single Remote Configuration Block with Multiple Allowed IPs
You can consolidate your configuration into a single block and specify multiple allowed-ips as follows:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>192.168.56.0/25</allowed-ips>
<allowed-ips>192.168.56.128/26</allowed-ips>
...
<local_ip>192.168.56.8</local_ip>
</remote>
Check the allowed-ips documentation page
Separate Remote Configuration Blocks with Different Ports
Alternatively, you can create different configuration blocks for each subnet, but using distinct ports as shown below:
<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>tcp</protocol>
<allowed-ips>XXX.XXX.XXX.XXX/24</allowed-ips>
<local_ip>XXX.XXX.XXX.XXX</local_ip>
</remote>
<remote>
<connection>syslog</connection>
<port>11510</port>
<protocol>tcp</protocol>
<allowed-ips>XXX.XXX.XXX.XXX/24</allowed-ips>
<local_ip>XXX.XXX.XXX.XXX</local_ip>
</remote>
Please note that this second approach requires configuring your devices to change the forwarded port.
Implementing one of these options should resolve the issue.
If you have any further questions, feel free to ask.
Andrehens Chicfici
# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf
#################
#### MODULES ####
#################
module(load="imuxsock") # provides support for local system logging
module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")
victor....@wazuh.com
Yes, the issue arises because the port is already used by rsyslog.
If you are utilizing rsyslog on your server, it may not be necessary to include the syslog remote block, as events will be stored in the /var/log directory or in the paths configured in the rsyslog configuration. Once those logs are in the server, you can monitor them through the logcollector daemon (check Monitoring log files documentation)
You have the option to disable rsyslog on your server and use the native server remote block, or you can configure rsyslog to achieve the desired behavior. Combining rsyslog configuration with proper firewall settings (refer to the rsyslog documentation here) can effectively collect your devices logs.