The IP address 240.80.1.1 is used for some of the internal local IP communication between processes inside Logmanager. It can appear in logs which are created in the Logmanager itself.
Communication diagram of Logmanager
Logmanager, for its proper operation, requires a range of allowed network ports. For the correct settings of firewalls, and other network elements, please use the following chart:
Access to entire internet or token renewal (without SSL inspection)
Bug reporting - this communication is disabled by default, the operator must enable it for it to work. For more information see here: Automatically send error reports to vendor.
Access to the Logmanager up.logmanager.cz update server and Microsoft servers for reading events from the cloud requires transparent communication, i.e. without HTTPS/SSL inspection. Check your firewall settings to see if you are blocking communication or if you have HTTPS/SSL inspection (also known as MITM, or Man in the middle) enabled. If your firewall allows it, create a special unique rule for Logmanager to allow only the traffic you want.
Communication of Logmanager cluster:
Source
Destination
Port / Protocol
Description
Logmanager
Logmanager
443 / TCP
Cluster configuration
Logmanager
Logmanager
51820 / UDP
WireGuard
Minimal MTU between the nodes in Logmanager cluster is 1500.
Communication of Logmanager Forwarder:
Source
Destination
Port / Protocol
Description
Logmanager Forwarder
Logmanager
443 / TCP
Forwarder configuration
Logmanager Forwarder
Logmanager
51821 / UDP
WireGuard
Minimal MTU between the Logmanager and Logmanager Forwarder is 1410.
Communication of Logmanager sources:
Source
Destination
Port / Protocol
Description
RELP
Logmanager
20514 / TCP
BEATS
Logmanager
5044 / TCP
Beats Input Plugin
Syslog
Logmanager
514 / UDP
Syslog
Logmanager
514 / TCP
O365 log receive
Logmanager
8443 / TCP
Receive events from O365 (without SSL inspection)
Syslog
Logmanager
10514 / UDP
Syslog
Logmanager
10514 / TCP
Syslog
Logmanager
51000 - 51100 / UDP
Syslog
Logmanager
51000 - 51100 / TCP
Syslog
Logmanager
6514 / TCP
TLS
Logmanager will automatically trunk all incoming Beats file messages that exceed size limit of 64 000 bytes. Every truncated message will be automatically marked as truncated. You can find more information here - Beats.
Vendor support:
Source
Destination
Port / Protocol
Description
SSH
Logmanager
22 / TCP
Access to web interface:
Source
Destination
Port / Protocol
Description
Web
Logmanager
443 / TCP
WebUI
Communication of WES agent (legacy):
Source
Destination
Port / Protocol
Description
WES
Logmanager
443 / TCP
Agent configuration
WES
Logmanager
20514 / TCP
RELP
WES
Logmanager
20515 / TCP
TLS RELP
Communication with VMware:
Source
Destination
Port / Protocol
Description
Logmanager
VMware
443 (default) / TCP
HTTPS access
Communication with SQL servers:
Source
Destination
Port / Protocol
Description
Logmanager
Microsoft SQL
1433 / TCP
SQL component
Logmanager
Microsoft SQL Server Browser
1434 / UDP
SQL component
Logmanager
MySQL
3306 / TCP
SQL component
Logmanager
Oracle Database
1521 / TCP
SQL component
Logmanager
PostgreSQL
5432 / TCP
SQL component
Communication of Logmanager Orchestrator:
Source
Destination
Port / Protocol
Description
Logmanager Orchestrator
Logmanager
443 / TCP
Agent configuration
Logmanager Orchestrator
Logmanager
5044 / TCP
Beats Input plugin
Logmanager communication within the cluster
As is described in the communication matrix, Logmanager communicates both ways within the cluster. Communication and data synchronization here is between individual members. It uses TCP/443 and UDP/51820 to communicate.
In case of deploying Logmanager in a cluster, it is therefore necessary to enable firewall network policy not only towards the individual members, but also between the members themselves. In other words, for correct operation, each member of the cluster should have identical firewall rules.
Communication must be allowed between all cluster members.
Important note, BEWARE of Logmanager communication between forwarders/nodes through firewalls. We recommend using blackhole for your internal subnets. All Logmanager communication is going through UDP ports. Some firewalls do not respect the routing table under certain circumstances, but use the session table to send packets to the wrong interface, causing broken communication between Logmanagers/forwarders.
Example of FortiGate misbehaving when a forwarder is communicating through an IPSEC interface to a PBX:
UDP session is established through an IPSEC tunnel.
The IPSEC tunnel is in a down state (Internet outage, reconfiguration, etc.), the firewall disables the routers leading to the tunnel.
The firewall discards the session, but the UDP packets are still coming, so it creates a new session according to the current routing table (only the default route to the Internet remains).
The IPSEC tunnel restarts and activates the route to the tunnel
However, the session still exists on the interface to the Internet, and since UDP packets are still coming in, they are erroneously sent to the Internet by the firewall.