Connection errors
When forwarding logs over TCP, you may encounter network connection errors where NXLog Agent cannot establish a connection to the remote host. There may be several reasons for network connection errors, but a firewall blocking communication is usually the cause. Knowledge of the network setup is helpful when troubleshooting such issues.
No route to host
- Symptom
-
NXLog Agent fails to connect to a remote host with the following error:
ERROR [om_tcp|siem] couldn't connect to 192.168.0.111:1514;No route to host INFO [om_tcp|siem] reconnecting to 192.168.0.111:1514 in 1 sec
- Possible reason
-
Several issues could cause this error, including:
-
The remote host is offline.
-
The remote host is on a different network or subnet, and there’s no configured route between the networks.
-
The NXLog Agent machine or the remote host has a faulty or disconnected network adapter.
-
- Investigation
-
Try to
ping
the remote host and verify whether you receive a response.It might be helpful to determine if NXLog Agent connected to the remote host successfully in the past by searching for the following string in the current and older log files:
successfully connected to <ip_address>:<port>
Replace <ip_address> with the hostname or IP address of the remote host and <port> with the actual port number it should be listening on.
A past successful connection indicates that the issue is either temporary or caused by recent changes.
- Solution
-
You must ensure the remote host is online and the NXLog Agent machine can connect to it. You may need your network administrator’s assistance to resolve the issue in such cases.
Connection refused or timed out
- Symptom
-
NXLog Agent fails to connect to a remote host due to one of the following errors:
INFO [om_tcp|siem] connecting to 192.168.0.111:1514 ERROR [om_tcp|siem] couldn't connect to 192.168.0.111:1514;Connection refused
or
ERROR [om_tcp|siem] couldn't connect to 192.168.0.50:1515;Operation timed out ERROR [om_ssl|siem] couldn't connect to 192.168.0.50:1515;The timeout specified has expired
- Possible reason
-
Errors like the above indicate a connection between the two hosts, but the network rules do not allow the remote host to accept the connection. The culprit is usually a firewall that’s blocking the connection.
- Investigation
-
The first step is to check if a local firewall on the remote host is enabled and blocking the connection. You can use
ufw
on Ubuntu orfirewall-cmd
on RedHat to check whether a firewall is enabled.- Ubuntu
-
$ sudo ufw status status: active To Action From -- ------ ---- 443 ALLOW Anywhere 22/tcp ALLOW Anywhere OpenSSH ALLOW Anywhere
- RedHat
-
$ sudo firewall-cmd --list-all public target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client http https ports: 6816/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.0.14" port port="1515" protocol="tcp" accept
If a firewall is enabled on the remote host, try turning it off temporarily to determine whether it is the cause of the issue. If the local firewall is not enabled, check if another firewall or gateway on the network is blocking the connection.
- Solution
-
You must ensure the NXLog Agent machine can connect to the remote host on the specified port. You may need your network administrator’s assistance to resolve the issue in such cases.