Information for: DEVELOPERS   PARTNERS   SUPPORT

Common issues with log forwarding

For Cloud Platform to forward your logs to your destination service, you must have already installed a valid SSL certificate. When troubleshooting your SSL certificate, review the following SSL certificate issues and any returned HTTP response codes to address the most common problems with log forwarding:

  • Certificate expiration date: The certificate’s expiration must be set to a date at least one month in the future.
  • Valid public key: Confirm that you have provided the correct public key for the SSL certificate that you have uploaded to the log forwarding service.
  • Matching SSL certificates: Confirm the CA certificate you uploaded to the log forwarding destination infrastructure was signed with the same public key you uploaded to Cloud Platform.
  • Certificate order: If you are using bundled certificates, ensure the certificates in the chain are in the order they were generated. Your infrastructure’s certificate should be the first in the chain, and the final certificate in the chain should be the CA certificate for the signing authority. For more information, see About SSL certificates and chain certificates.
  • Private key: The private key and certificate signing request (CSR) must be generated on the infrastructure on which you are installing the certificate for the certificate to install correctly. If the private key has been lost, the certificate must be reissued with a new CSR.

Before you try to set up log forwarding:

  • Check if the destination is supported.
  • Ensure that there is no firewall that is blocking the flow of logs.

Log forwarding response codes

After uploading your certificate to the log forwarding service, Cloud Platform attempts to evaluate the connection, and returns an error message if it can’t. The details for each of the following response codes can help you diagnose problems with your log forwarding configuration:

Response code Error Description
200 (None) The log forwarding service connected with the remote infrastructure.
301 SSL connection error Cloud Platform couldn’t establish a SSL connection with the log forwarding service. The error message should contain a stack trace.
302 SSL verification error SSL verification failed, the SSL certificate is invalid, or SSL is not accepted by the infrastructure. For more information, see the Diagnostics section of the openssl-verify information page at OpenSSL.org.
303 Invalid key The SSL certificate wasn’t signed with the same key as the infrastructure’s SSL certificate.
401 Connection timed out The destination infrastructure hasn’t responded after a pre-determined period of time. The error message does not include information regarding the cause of the time out.
402 Connection refused The remote infrastructure being accessed isn’t configured to listen at the requested port, or has a firewall installed that’s rejecting the connection request initiated from Cloud Platform.
403 Connection aborted The client sent a TCP Reset (RST) response before the infrastructure accepted the connection requested by client. The remote infrastructure may have a firewall enabled, have NAT or router issues, a slow connection, or the infrastructure didn’t send the SSL/TLS closure notification as required by the SSL/TLS specifications.
404 Connection reset The destination infrastructure abruptly closed its end of the connection. Review the infrastructure logs on the destination infrastructure for application protocol errors and traffic spikes.
405 Socket error Communication between the Cloud Platform and destination infrastructure was blocked (such as by antivirus software or a firewall), a previously established network connection is terminated, or the destination infrastructure crashed or rebooted.
406 Host unreachable The log forwarding client cannot connect to the specified host. It might be that the host is on a private network.
407 Peer verification failed, please check the destination certificate chain matches the infrastructure certificate chain

The log forwarding client can’t verify the infrastructure’s identity. Certificates are incorrect or missing. Use openssl s_client to check the infrastructure’s certificate chain. For example,

openssl s_client -showcerts -connect acquia.com:443

Make sure you’ve included in the log forwarding destination’s certificate field all the CA certificates from the chain in the listed depth order (biggest depth is last).

500 Unknown An error not matching any of the previously described conditions has occurred.