Error: Initialization error: bind EADDRNOTAVAIL

User1

Hello, has anyone encountered this error? i'm trying to forward my firewall logs to Cribl.

I added Syslog Push via QuickConnect.

Address: is public IP address of the firewall

UDP port: 1514

On my firewall Settings:

Syslog Server Address: is the Ingress IP of Cribl Cloud

Port: 1514

Are these the correct settings?

Jon Rust

For the address field, you'll want to leave this as the default: 0.0.0.0. It is the address to listen on, and must be defined on an interface on the worker node. The 0s notation says to listen on any address on any interface.

User1

thanks for the response Jon. I changed it to 0.0.0.0, but looks like there is no data coming in.

How do i define interface on the worker node? Is there any guide.

And im curious, on my firewall settings, is it correct to use the Ingress IP of Cribl Cloud as the Syslog server.

Jon Rust

First step: Did you commit and deploy after the change? What does the status screen in the source definition show?

Next, get onto the worker's CLI and check if 1514 is open. You can use lsof or netstat for this. Example:

$ sudo lsof -P -u cribl | grep UDP | grep 1514

cribl    3036 cribl  37u     IPv4              48676      0t0      UDP *:1514

(-u says to only check for cribl owned processes, and -P says to show port numbers, not as names)

If the worker is listening on 1514, you'll next want to check if you have any firewalls running. Many distros come with a fairly restrictive firewall in place by default. Best advice is to check your distro docs on this topic.

You can also check to see if the basics are working by starting a capture in Cribl, then using something like logger or netcat to send data to the port you're listening on from localhost:

$ echo "<14>Testing muh syslog" | $(netcat) -v -u -w 0 127.0.0.1 1514

Sub in the path to netcat (usually nc)

You should see data show in the Cribl capture.

User1

Yes i have Commited deployed. Status in green Healthy.

I think the steps you are referring to is for Cribl Stream which is on Prem?I'm using Crible Cloud. I'm not sure how to do that if im using the Cloud version.

Jon Rust

Port 1514 is not one of the ports available to Cloud. On the Cloud landing page, hit the Network Settings link to see the ports available to you.

As an aside, testing with UDP data to the Cloud is fine. I would discourage using it in production however. Better to use TCP, or better still, install a Cribl Worker close to the syslog producers, and forward to the Cloud using Cribl HTTP.

User1

looks like these are the only ports availble? 20000-20010 TCP

Yes at this point im just trying to forward and see what info will be be captured on the logs.

I tried using port 20010 TCP and committed change. Status is Green and but seems no data is getting received.

On my firewall side i have the Cribl Cloud Ingress IP as Syslog Server Address and Syslog Port as 20010.

I really appreciate the response :)

Jon Rust

There are deafult ports enabled for common data types. UDP Syslog is on 9514. (Scroll down from where you took that screencap above.)

User1

hmm.. i get this error when i try that port.

Jon Rust

There is already an input defined for that port, so you're conflicting with it. You don't need to create this input. Use the existing.

User1

i think i got it to work. I am seeing logs on my Destination.

Thanks a lot Jon Rust. I really appreciate the support. Thank you

Jon Rust

No problemo! Glad it's working for you!