Communication of Logmanager

The IP address 240.80.1.1 is used for some of the internal local IP communication between processes inside Logmanager. It can appear in logs which are created in the Logmanager itself.

Communication diagram of Logmanager

Logmanager, for its proper operation, requires a range of allowed network ports. For the correct settings of firewalls, and other network elements, please use the following chart:

Communication matrix of Logmanager

Communication initiated by Logmanager:

Source	Destination	Port / Protocol	Description
Logmanager	DNS	53 / UDP
Logmanager	DNS	53 / TCP
Logmanager	LDAP	389 / TCP	LDAP (users authentication)
Logmanager	LDAP	686 / TCP	LDAPs (users authentication)
Logmanager	LDAP	3268 / TCP	LDAP (AD Global Catalog) (users auth.)
Logmanager	LDAP	3269 / TCP	LDAPs (AD Global Catalog) (users auth.).
Logmanager	NTP	123 / UDP	Time synchronization
Logmanager	SMTP	25 / TCP	Sending alerts, reports etc.
Logmanager	SMTP	465 / TCP	SMTP authorization
Logmanager	SMTP	587 / TCP	SMTP authorization
Logmanager	Database backup	445 / TCP	SMB v3 (fallback on SMB v2)
Logmanager	System updates	443 / TCP	Requires access to: https://up.logmanager.cz/ (see Warning)
Logmanager	Bug reporting (see Note)	443 / TCP	Requires access to: https://bugreport.logmanager.cz/
Logmanager	O365 reading events from cloud	443 / TCP	Access to entire internet or token renewal (without SSL inspection)

Bug reporting - this communication is disabled by default, the operator must enable it for it to work. For more information see here: Automatically send error reports to vendor.

Access to the Logmanager up.logmanager.cz update server and Microsoft servers for reading events from the cloud requires transparent communication, i.e. without HTTPS/SSL inspection. Check your firewall settings to see if you are blocking communication or if you have HTTPS/SSL inspection (also known as MITM, or Man in the middle) enabled. If your firewall allows it, create a special unique rule for Logmanager to allow only the traffic you want.

Communication of Logmanager cluster:

Source	Destination	Port / Protocol	Description
Logmanager	Logmanager	443 / TCP	Cluster configuration
Logmanager	Logmanager	51820 / UDP	WireGuard

Minimal MTU between the nodes in Logmanager cluster is 1500.

Communication of Logmanager Forwarder:

Source	Destination	Port / Protocol	Description
Logmanager Forwarder	Logmanager	443 / TCP	Forwarder configuration
Logmanager Forwarder	Logmanager	51821 / UDP	WireGuard

Minimal MTU between the Logmanager and Logmanager Forwarder is 1410.

Communication of Logmanager sources:

Source	Destination	Port / Protocol	Description
RELP	Logmanager	20514 / TCP
BEATS	Logmanager	5044 / TCP	Beats Input Plugin
Syslog	Logmanager	514 / UDP
Syslog	Logmanager	514 / TCP
O365 log receive	Logmanager	8443 / TCP	Receive events from O365 (without SSL inspection)
Syslog	Logmanager	10514 / UDP
Syslog	Logmanager	10514 / TCP
Syslog	Logmanager	51000 - 51100 / UDP
Syslog	Logmanager	51000 - 51100 / TCP
Syslog	Logmanager	6514 / TCP	TLS

Logmanager will automatically trunk all incoming Beats file messages that exceed size limit of 64 000 bytes. Every truncated message will be automatically marked as truncated. You can find more information here - Beats.

Vendor support:

Source	Destination	Port / Protocol	Description
SSH	Logmanager	22 / TCP

Access to web interface:

Source	Destination	Port / Protocol	Description
Web	Logmanager	443 / TCP	WebUI

Communication of WES agent (legacy):

Source	Destination	Port / Protocol	Description
WES	Logmanager	443 / TCP	Agent configuration
WES	Logmanager	20514 / TCP	RELP
WES	Logmanager	20515 / TCP	TLS RELP

Communication with VMware:

Source	Destination	Port / Protocol	Description
Logmanager	VMware	443 (default) / TCP	HTTPS access

Communication with SQL servers:

Source	Destination	Port / Protocol	Description
Logmanager	Microsoft SQL	1433 / TCP	SQL component
Logmanager	Microsoft SQL Server Browser	1434 / UDP	SQL component
Logmanager	MySQL	3306 / TCP	SQL component
Logmanager	Oracle Database	1521 / TCP	SQL component
Logmanager	PostgreSQL	5432 / TCP	SQL component

Communication of Logmanager Orchestrator:

Source	Destination	Port / Protocol	Description
Logmanager Orchestrator	Logmanager	443 / TCP	Agent configuration
Logmanager Orchestrator	Logmanager	5044 / TCP	Beats Input plugin

Logmanager communication within the cluster

As is described in the communication matrix, Logmanager communicates both ways within the cluster. Communication and data synchronization here is between individual members. It uses TCP/443 and UDP/51820 to communicate.

In case of deploying Logmanager in a cluster, it is therefore necessary to enable firewall network policy not only towards the individual members, but also between the members themselves. In other words, for correct operation, each member of the cluster should have identical firewall rules.

Communication must be allowed between all cluster members.

Important note, BEWARE of Logmanager communication between forwarders/nodes through firewalls. We recommend using blackhole for your internal subnets. All Logmanager communication is going through UDP ports. Some firewalls do not respect the routing table under certain circumstances, but use the session table to send packets to the wrong interface, causing broken communication between Logmanagers/forwarders.

Example of FortiGate misbehaving when a forwarder is communicating through an IPSEC interface to a PBX:

UDP session is established through an IPSEC tunnel.
The IPSEC tunnel is in a down state (Internet outage, reconfiguration, etc.), the firewall disables the routers leading to the tunnel.
The firewall discards the session, but the UDP packets are still coming, so it creates a new session according to the current routing table (only the default route to the Internet remains).
The IPSEC tunnel restarts and activates the route to the tunnel
However, the session still exists on the interface to the Internet, and since UDP packets are still coming in, they are erroneously sent to the Internet by the firewall.