Re: Troubles configuring linux forwarder

Antonino_La2 · 04-03-2023 12:49 AM

Hello, I'm having troubles configuring my linux forwarder. I've completed the setup as per documentation but I don't get any log on the SIEM. Any hint?

shakedtal

Hi @Antonino_La2 first of all I would recommend to validate that there isn't a firewall or web proxy blocking the traffic.

In addition, you can check the forwarder for logs - You can use this guide https://cloud.google.com/chronicle/docs/install/forwarder-linux the command would be : docker logs cfps --follow

Antonino_La2

Hi @shakedtal thank you for your reply. I've followed the guide you attached. The container looks like it's working fine. Following the logs with docker logs -f cfps I get lot of logs like these:

488 syslog.go:396] Accepting new syslog TCP connection.
488 malchite.go.257] Batch (8, NIX_SYSTEM) successfully uploaded.

Already checked firewall/proxy configuration but nothing :(

shakedtal

Have you looked to see that the forwarder itself is receiving telemetry? Between two linux machines you can use netcat to push a string on a specific port, for example

Antonino_La2

I didn't check that but since this is a test the telemetry come from the same machine where the forwarder is running. I thought that the telemetry was successfully received due to the "Accepting new syslog TCP connection." line in the logs

shakedtal

If that's the case, you can go on the same machine and verify that the syslog folder has content.

Antonino_La2

Checked and there are several logs inside

shakedtal

Hi @Antonino_La2 I would recommend opening a support ticket to the team to take this forward. Please let me know if you have any additional questions.

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Troubles configuring linux forwarder

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps