Connection errors

When forwarding logs over TCP, you may encounter network connection errors where NXLog Agent cannot establish a connection to the remote host. There may be several reasons for network connection errors, but a firewall blocking communication is usually the cause. Knowledge of the network setup is helpful when troubleshooting such issues.

No route to host

Symptom

NXLog Agent fails to connect to a remote host with the following error:

ERROR [om_tcp|siem] couldn't connect to 192.168.0.111:1514;No route to host
INFO [om_tcp|siem] reconnecting to 192.168.0.111:1514 in 1 sec

Possible reason

Several issues could cause this error, including:

The remote host is offline.
The remote host is on a different network or subnet, and there’s no configured route between the networks.
The NXLog Agent machine or the remote host has a faulty or disconnected network adapter.

Investigation

Try to ping the remote host and verify whether you receive a response.

It might be helpful to determine if NXLog Agent connected to the remote host successfully in the past by searching for the following string in the current and older log files:

successfully connected to <ip_address>:<port>

Replace <ip_address> with the hostname or IP address of the remote host and <port> with the actual port number it should be listening on.

A past successful connection indicates that the issue is either temporary or caused by recent changes.

Solution

You must ensure the remote host is online and the NXLog Agent machine can connect to it. You may need your network administrator’s assistance to resolve the issue in such cases.

Connection refused or timed out

Symptom

NXLog Agent fails to connect to a remote host due to one of the following errors:

INFO [om_tcp|siem] connecting to 192.168.0.111:1514
ERROR [om_tcp|siem] couldn't connect to 192.168.0.111:1514;Connection refused

ERROR [om_tcp|siem] couldn't connect to 192.168.0.50:1515;Operation timed out
ERROR [om_ssl|siem] couldn't connect to 192.168.0.50:1515;The timeout specified has expired

Possible reason

Errors like the above indicate a connection between the two hosts, but the network rules do not allow the remote host to accept the connection. The culprit is usually a firewall that’s blocking the connection.

Investigation

The first step is to check if a local firewall on the remote host is enabled and blocking the connection. You can use ufw on Ubuntu or firewall-cmd on RedHat to check whether a firewall is enabled.

Ubuntu

$ sudo ufw status
status: active

To                         Action      From
--                         ------      ----
443                        ALLOW       Anywhere
22/tcp                     ALLOW       Anywhere
OpenSSH                    ALLOW       Anywhere

RedHat

$ sudo firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: ssh dhcpv6-client http https
  ports: 6816/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="192.168.0.14" port port="1515" protocol="tcp" accept

If a firewall is enabled on the remote host, try turning it off temporarily to determine whether it is the cause of the issue. If the local firewall is not enabled, check if another firewall or gateway on the network is blocking the connection.

Solution

You must ensure the NXLog Agent machine can connect to the remote host on the specified port. You may need your network administrator’s assistance to resolve the issue in such cases.