By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

external to internal path confusion

0

I am attempting to send syslog from external eset to an internal splunk server. i have contacted both eset and Meraki (i have an internal VMX) and everything is setup correctly. we have completed a packet capture on the vmx and the traffic from eset does not touch the external surface of the vmx. this is telling me that aws may be blocking the traffic to the vmx. where would i start to figure out where the blocking may be happening?

Topics
Networking & Content Delivery
Tags
Networking & Content Delivery
Language
English
davidummel
asked 3 months ago84 views
1 Answer
0

Given your situation, where syslog messages from an external ESET instance are not reaching your internal Splunk server through a Meraki VMX hosted on AWS, and you have confirmed through packet captures that the traffic isn't reaching the external interface of the VMX, the issue likely lies in the network configuration within AWS or the security settings that govern inbound traffic to your VMX. Here’s how you can start troubleshooting and identifying where the block might be happening:

Check Security Groups: Start by examining the security groups associated with your VMX instance in AWS. Security groups act as a virtual firewall for instances to control inbound and outbound traffic. Ensure that the security group assigned to your VMX allows inbound traffic on the port used by syslog (usually UDP 514) from the ESET source IP address.

Network Access Control Lists (NACLs): Check the NACLs for the subnet where your VMX is located. NACLs can block traffic entering or leaving a subnet. Verify that the NACLs allow inbound and outbound traffic for the syslog port from and to the ESET IP address.

AWS VPC Flow Logs: Enable VPC Flow Logs for the network interface of the VMX instance. Flow logs can help you capture information about the IP traffic going to and from network interfaces in your VPC. By analyzing these logs, you can see whether the syslog packets are reaching the AWS environment and where they might be getting dropped.

Firewall/IPS on AWS or VMX: If there is a firewall or an intrusion prevention system (IPS) in the path between ESET and your Splunk server (either on AWS or within the VMX configuration), check its logs and configuration to ensure it's not blocking or filtering the syslog traffic.

AWS Network Firewall: If you're using AWS Network Firewall, check its policies to ensure that traffic on the syslog port from the ESET IP address is allowed.

By systematically checking each of these areas, you should be able to identify and resolve the block preventing your syslog messages from reaching your Splunk server.

profile pictureAWS
SUPPORT ENGINEER
Rutba_Z
answered 3 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content