We have updated our Terms of Service, Code of Conduct, and Addendum.

Error: Initialization error: bind EADDRNOTAVAIL

User1
User1 Posts: 6

Hello, has anyone encountered this error? i'm trying to forward my firewall logs to Cribl.

I added Syslog Push via QuickConnect.

Address: is public IP address of the firewall

UDP port: 1514

On my firewall Settings:

Syslog Server Address: is the Ingress IP of Cribl Cloud

Port: 1514

Are these the correct settings?

Tagged:

Comments

  • Jon Rust
    Jon Rust Posts: 419 mod

    For the address field, you'll want to leave this as the default: 0.0.0.0. It is the address to listen on, and must be defined on an interface on the worker node. The 0s notation says to listen on any address on any interface.

  • User1
    User1 Posts: 6

    thanks for the response Jon. I changed it to 0.0.0.0, but looks like there is no data coming in.

    How do i define interface on the worker node? Is there any guide.

    And im curious, on my firewall settings, is it correct to use the Ingress IP of Cribl Cloud as the Syslog server.

  • Jon Rust
    Jon Rust Posts: 419 mod

    First step: Did you commit and deploy after the change? What does the status screen in the source definition show?

    Next, get onto the worker's CLI and check if 1514 is open. You can use lsof or netstat for this. Example:

    $ sudo lsof -P -u cribl | grep UDP | grep 1514
    cribl 3036 cribl 37u IPv4 48676 0t0 UDP *:1514

    (-u says to only check for cribl owned processes, and -P says to show port numbers, not as names)

    If the worker is listening on 1514, you'll next want to check if you have any firewalls running. Many distros come with a fairly restrictive firewall in place by default. Best advice is to check your distro docs on this topic.

    You can also check to see if the basics are working by starting a capture in Cribl, then using something like logger or netcat to send data to the port you're listening on from localhost:

    $ echo "<14>Testing muh syslog" | $(netcat) -v -u -w 0 127.0.0.1 1514
    

    Sub in the path to netcat (usually nc)

    You should see data show in the Cribl capture.

  • User1
    User1 Posts: 6

    Yes i have Commited deployed. Status in green Healthy.

    I think the steps you are referring to is for Cribl Stream which is on Prem?I'm using Crible Cloud. I'm not sure how to do that if im using the Cloud version.

  • Jon Rust
    Jon Rust Posts: 419 mod

    Port 1514 is not one of the ports available to Cloud. On the Cloud landing page, hit the Network Settings link to see the ports available to you.

    As an aside, testing with UDP data to the Cloud is fine. I would discourage using it in production however. Better to use TCP, or better still, install a Cribl Worker close to the syslog producers, and forward to the Cloud using Cribl HTTP.

  • User1
    User1 Posts: 6

    looks like these are the only ports availble? 20000-20010 TCP

    Yes at this point im just trying to forward and see what info will be be captured on the logs.

    I tried using port 20010 TCP and committed change. Status is Green and but seems no data is getting received.

    On my firewall side i have the Cribl Cloud Ingress IP as Syslog Server Address and Syslog Port as 20010.

    I really appreciate the response :)

  • Jon Rust
    Jon Rust Posts: 419 mod

    There are deafult ports enabled for common data types. UDP Syslog is on 9514. (Scroll down from where you took that screencap above.)

  • User1
    User1 Posts: 6

    hmm.. i get this error when i try that port.

  • Jon Rust
    Jon Rust Posts: 419 mod

    There is already an input defined for that port, so you're conflicting with it. You don't need to create this input. Use the existing.

  • User1
    User1 Posts: 6

    i think i got it to work. I am seeing logs on my Destination.

    Thanks a lot Jon Rust. I really appreciate the support. Thank you

  • Jon Rust
    Jon Rust Posts: 419 mod

    No problemo! Glad it's working for you!