Skip to main content
Solved

Cribl Not Receiving Fortinet Firewall Logs Over UDP Port 514

  • March 19, 2026
  • 14 replies
  • 2 views
S
This message originated from Cribl Community Slack.
Click here to view the original link.

Hi Team. I am trying to onboard Fortinet firewall logs in Cribl with UDP port 514. I am not receiving data in Cribl, I have asked the Fortinet team to route to different UDP port such as 1514 or 5514. But the team wants to send the data only in 514 port in UDP. Is it possible to onboard the data from Fortinet with UDP port 514?

Best answer by Brandon McCombs

maybe a host firewall blocking the data?

14 replies

D
  • dbizon539
  • Employee
  • March 19, 2026
Its very much possible to do so. Have you checked to see that you are allowed privileged ports? If you are, have you checked that the firewall is not blocking the port between the Fortinet and Cribl? If the data is reaching the Cribl host but not showing in Cribl - is there something possibly blocking it on the host for Cribl (such as firewalld)?
S
Yeah checked firewall is not blocking the port. but I have destination configured with QRadar on TCP 514 . I am trying to setup UDP source 514. Will it still be a conflict? If I run tcpdump -i any udp port 514 then I can see the traffic . But if I try to configure in syslog with 514 then I am getting "Initialization error: bind EACCESS 0.0.0.0:514" error
D
  • dbizon539
  • Employee
  • March 19, 2026
Yup so the link will resolve that issue for you. You are trying to bind on a privileged port using a non-root account - so you have to give permissions on the filesystem to do so
S
Sorry what permission I need to give and to which filesystem?
B
The link provided above explains the procedure. It's not file system permissions (I think what Daniel meant was using the command line) but rather OS capabilities that need modified for the cribl service so it can bind to that port without being root.
S
Yes now I am not able see that error after providing the capabilities. Thanks for that! But If I run this command in worker node, I can see the traffic coming from fortinet log into Cribl. But when I configure the syslog UDP port 514 then I am not able to see any data from Live capture. Am I missing anything : "tcpdump -i any udp port 514"
B
maybe a host firewall blocking the data?
S
In that case, will I get the output for "tcpdump -i any udp port 514" like this? If firewall is blocking then I shouldn't getting the output like this right? I ran tcp dump in the worker node

Links for this message:
image.png
B
tcpdump captures before the packets are passed from the interface to the OS for firewall inspection.
S
Interesting. Let me investigate and get back to you. I have been told by customer that there is no host firewall in place
B
95% of the time it's a host firewall at fault, based on the current symptoms so that's why I recommended that to be checked first. Good luck!
S
Thanks Brandon
S
Hi @user. Yes the issue is with internal firewalld . Customer accepted to add 514 udp port into firewalld. After adding 514 using this command it worked firewall-cmd --zone=public --add-port=514/udp --permanent. Thanks a lot :slightly_smiling_face:
J
Is there a reason you prefer UDP over TCP syslog?
Terms & ConditionsAccessibility statement