Communication of Logmanager
Logmanager for its proper operation requires a range of allowed network ports. For the correct settings of firewalls, and other network elements, please use the following chart:
Communication diagram of Logmanager
Communication initiated by Logmanager:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| Logmanager | DNS | 53 / UDP | |
| Logmanager | DNS | 53 / TCP | |
| Logmanager | LDAP | 389 / TCP | LDAP (users authentication) |
| Logmanager | LDAP | 686 / TCP | LDAPs (users authentication) |
| Logmanager | LDAP | 3268 / TCP | LDAP (AD Global Catalog) (users auth.) |
| Logmanager | LDAP | 3269 / TCP | LDAPs (AD Global Catalog) (users auth.). |
| Logmanager | NTP | 123 / UDP | Time synchronization |
| Logmanager | SMTP | 25 / TCP | Sending alerts, reports etc. |
| Logmanager | SMTP | 465 / TCP | SMTP authorization |
| Logmanager | SMTP | 587 / TCP | SMTP authorization |
| Logmanager | Database backup | 445 / TCP | SMB v3 (fallback on SMB v2) |
| Logmanager | System updates | 443 / TCP | Requires access to: https://up.logmanager.cz/ |
| Logmanager | Bug reporting | 443 / TCP | Requires access to: https://bugreport.logmanager.cz/ |
| Logmanager | O365 reading events from cloud | 443 / TCP | Access to entire internet or token renewal |
Bug reporting - this communication is disabled by default, the operator must enable it for it to work. For more information see here: Automatically send error reports to vendor.
Access to the update server Logmanager up.logmanager.cz requires transparent communication, i.e. without HTTPS/SSL inspection. Check your firewall settings to see if you are blocking communication or if you have HTTPS/SSL inspection (also known as MITM, or Man in the middle) enabled. If your firewall allows it, create a special unique rule for Logmanager to allow only the traffic you want.
Communication of Logmanager cluster:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| Logmanager | Logmanager | 443 / TCP | Cluster configuration |
| Logmanager | Logmanager | 51820 / UDP | WireGuard |
Minimal MTU between the nodes in Logmanager cluster is 1500.
Communication of Logmanager Forwarder:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| Logmanager Forwarder | Logmanager | 443 / TCP | Forwarder configuration |
| Logmanager Forwarder | Logmanager | 51821 / UDP | WireGuard |
Minimal MTU between the Logmanager and Logmanager Forwarder is 1410.
Communication of Logmanager sources:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| RELP | Logmanager | 20514 / TCP | |
| BEATS | Logmanager | 5044 / TCP | Beats Input Plugin |
| Syslog | Logmanager | 514 / UDP | |
| Syslog | Logmanager | 514 / TCP | |
| O365 log receive | Logmanager | 8443 / TCP | Receive events from O365 |
| Syslog | Logmanager | 10514 / UDP | |
| Syslog | Logmanager | 10514 / TCP | |
| Syslog | Logmanager | 51000 - 51100 / UDP | |
| Syslog | Logmanager | 51000 - 51100 / TCP | |
| Syslog | Logmanager | 6514 / TCP | TLS |
Logmanager will automatically trunk all incoming Beats file messages that exceed size limit of 64 000 bytes. Every truncated message will be automatically marked as truncated. You can find more information here - Beats.
Vendor support:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| SSH | Logmanager | 22 / TCP |
Access to web interface:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| Web | Logmanager | 443 / TCP | WebUI |
Communication of WES agent (legacy):
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| WES | Logmanager | 443 / TCP | Agent configuration |
| WES | Logmanager | 20514 / TCP | RELP |
| WES | Logmanager | 20515 / TCP | TLS RELP |
Communication with VMware:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| Logmanager | VMware | 443 (default) / TCP | HTTPS access |
Communication with SQL servers:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| Logmanager | Microsoft SQL | 1433 / TCP | SQL component |
| Logmanager | Microsoft SQL Server Browser | 1434 / UDP | SQL component |
| Logmanager | MySQL | 3306 / TCP | SQL component |
| Logmanager | Oracle Database | 1521 / TCP | SQL component |
| Logmanager | PostgreSQL | 5432 / TCP | SQL component |
Communication of Logmanager Orchestrator:
| Source | Destination | Port / Protocol | Description |
|---|---|---|---|
| Logmanager Orchestrator | Logmanager | 443 / TCP | Agent configuration |
| Logmanager Orchestrator | Logmanager | 5044 / TCP | Beats Input plugin |
As is described in the communication matrix, Logmanager communicates both ways within the cluster. Communication and data synchronization here is between individual members. It uses TCP/443 and UDP/51820 to communicate.
In case of deploying Logmanager in a cluster, it is therefore necessary to enable firewall network policy not only towards the individual members, but also between the members themselves. In other words, for correct operation, each member of the cluster should have identical firewall rules.
Communication must be allowed between all cluster members.
Important note, BEWARE of Logmanager communication between forwarders/nodes through firewalls. We recommend using blackhole for your internal subnets. All Logmanager communication is going through UDP ports. Some firewalls do not respect the routing table under certain circumstances, but use the session table to send packets to the wrong interface, causing broken communication between Logmanagers/forwarders.
Example of FortiGate misbehaving when a forwarder is communicating through an IPSEC interface to a PBX:
- UDP session is established through an IPSEC tunnel.
- The IPSEC tunnel is in a down state (Internet outage, reconfiguration, etc.), the firewall disables the routers leading to the tunnel.
- The firewall discards the session, but the UDP packets are still coming, so it creates a new session according to the current routing table (only the default route to the Internet remains).
- The IPSEC tunnel restarts and activates the route to the tunnel
- However, the session still exists on the interface to the Internet, and since UDP packets are still coming in, they are erroneously sent to the Internet by the firewall.