There is no open ports that are listening for logs

[dongepi]

Half a year ago, I had a working installation, but for various reasons, it had to be taken down. I did a clean install with the installer without any errors or problems, I logged in and installed the first agent on my computer, and everything was fine. However, the problems started when I tried to run different integrations (Cisco, PaloAlto, Vmware). All devices on the network were pre-configured from the previous installation with the same IP address and ports, but now nothing works now.

I went through all the settings again and followed every possible instruction without success. I found that there is nothing listening on the specified ports, for example, 7006 TCP, 514 UDP, 7056 TCP, 1470 TCP, and all the others from the integration guide.
There is no container with this ports and no iptables rules.

[c3s4rfred]

Hi @dongepi, what version are you using, the versions v9.x.x aren't compatible with v10.x.x.

Best regards

[dongepi]

The version is v10.3.0 202403041523. I utilized the Installer for the installation process. After consulting the integration guide, I noticed a port discrepancy: the old port was 514, while the new one is 7006. I proceeded to update the settings on my PaloAlto device accordingly. However, upon attempting to connect via telnet to port 7006, there appears to be no service listening. I've thoroughly checked the Docker configuration as well, but port 7006 is nowhere to be found.

I want to emphasize that this is my 3rd installation with Installer and before that I have two attempts with Image.

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 6daefa585f77 ghcr.io/utmstack/utmstack/correlation:v10 "/run.sh" 21 minutes ago Up 21 minutes utmstack_correlation.1.pw0k4tnrnd7cq285wgom187mg 6f41829db6f8 ghcr.io/utmstack/utmstack/agent-manager:v10 "/app/server" 21 minutes ago Up 21 minutes (healthy) 50051/tcp utmstack_agentmanager.1.u4glsrw15c7v40aa0j0ji4y9c 0572071f7908 utmstack.azurecr.io/datasources:v10 "python3 -m utmstack…" 21 minutes ago Up 21 minutes utmstack_aws.1.szmax61i31i3pcd2wcse19ohb d9677f8b76e4 utmstack.azurecr.io/datasources:v10 "python3 -m utmstack…" 21 minutes ago Up 21 minutes utmstack_sophos.1.v6n9k51tngfp8ad40je0b9g8k 629c7b4dfc9d utmstack.azurecr.io/opensearch:v10 "./opensearch-docker…" 22 minutes ago Up 22 minutes 9200/tcp, 9300/tcp, 9600/tcp, 9650/tcp utmstack_node1.1.r2zlim846il4qqd45zrmwo2ia 593317ada341 utmstack.azurecr.io/logstash:v10 "/usr/local/bin/dock…" 22 minutes ago Up 22 minutes (healthy) 5044/tcp, 9600/tcp utmstack_logstash.1.7x4dwpj5izqcu5kmm6kaa3tsd 8b45cf12e1d0 utmstack.azurecr.io/postgres:v10 "docker-entrypoint.s…" 22 minutes ago Up 22 minutes (healthy) 5432/tcp utmstack_postgres.1.kwcrd25n795nodisc27bxrege 8153a6067e0f ghcr.io/utmstack/utmstack/frontend:v10 "/docker-entrypoint.…" 22 minutes ago Up 22 minutes (healthy) 80/tcp utmstack_frontend.1.sthbuuonh5ytptoimuq538to4 f4b9d82d4d59 ghcr.io/utmstack/utmstack/mutate:v10 "python main.py" 22 minutes ago Up 22 minutes utmstack_mutate.1.z73xbrpyiuzwiiqqhz0erge8v d7d7dd6eb05f ghcr.io/utmstack/utmstack/bitdefender:v10 "/bin/sh -c ./bdgz_i…" 22 minutes ago Up 22 minutes utmstack_bitdefender.1.uxxlb7z5gpwulbi4xqzr8l425 854eda4836a6 ghcr.io/utmstack/utmstack/log-auth-proxy:v10 "/app/server" 22 minutes ago Up 22 minutes 8080/tcp, 50051/tcp utmstack_log-auth-proxy.1.ukyfapcwzecse5v6hu99ya2v5 dccacbc7d8d3 ghcr.io/utmstack/filebrowser/filebrowser:v10 "/run.sh" 22 minutes ago Up 22 minutes (healthy) utmstack_filebrowser.1.yd5e971payu2kohwv5xm2wotg e1492c9b69e9 ghcr.io/utmstack/utmstack/backend:v10 "java -jar utmstack.…" 22 minutes ago Up 22 minutes (healthy) 8080/tcp utmstack_backend.1.llifjyic9enu7lnku1czekyme fe2668e1fcab ghcr.io/utmstack/utmstack/web-pdf:v10 "/bin/sh -c '/opt/bi…" 22 minutes ago Up 22 minutes 4444/tcp, 5900/tcp, 8080/tcp utmstack_web-pdf.1.frdmztfa4lha44gsi4427dm7q 09d3f55c1bcc ghcr.io/utmstack/utmstack/user-auditor:v10 "java -jar user-audi…" 22 minutes ago Up 22 minutes 8080/tcp utmstack_user-auditor.1.acggt8odaea2t2l0f1uopzuen 3a1d97f655e3 ghcr.io/utmstack/soc-ai/soc-ai:v10 "/bin/sh -c ./soc_ai" 22 minutes ago Up 22 minutes utmstack_socai.1.mwnxxn898z0oit1y1grofpibz 02b815d89c69 ghcr.io/utmstack/utmstack/office365:v10 "/bin/sh -c ./o365_i…" 22 minutes ago Up 22 minutes utmstack_office365.1.j2d6euu9x5pv4ssnlmgvru8yf

[osmontero]

Hello, please review the steps in the integration guide. Starting with version 10, it is necessary to install an agent and enable the necessary modules to receive data from your network devices in that agent. After that you must point your devices to send logs to the server or workstation where said agent is installed, instead of sending the logs to the UTMStack instance. Additionally, you can also install an agent on the UTMStack instance, but the agent is not installed by default. For reasons of protecting the data as it travels over the network, we decided to send the logs to an agent that may be installed on a subnet closer to the device you want to monitor, instead of sending the logs to the UTMStack instance that may be multiple hops from the device, which is vulnerable to Man in the Midle attacks, since many devices that send logs using Syslog do not have TLS support.

[dongepi]

osmontero, Thank you for your response. The method you described has resolved all issues, but there's definitely a lack of detailed documentation explaining the log collection process. I wouldn't have discovered it on my own, and I'm certain many others will encounter the same issue. The official documentation completely overlooks any indication that AGENTS are now used as LOG COLLECTOR for all devices, forwarding the data to UTMSTACK.

[osmontero]

We're a small team passionate about development, and we'd be incredibly grateful for the community's help in keeping our documentation top-notch. If you spot areas for improvement, please open issues in our documentation repo. Pull requests with suggested changes are even more amazing and help us tremendously!