--- title: "Common issues with log forwarding" date: "2024-02-14T06:18:38+00:00" summary: "Troubleshoot log forwarding issues with SSL certificates, destination support, and firewall settings. Learn about common errors and solutions." image: type: "page" url: "/acquia-cloud-platform/common-issues-log-forwarding" id: "01001ef1-579e-44e3-9998-dc286af79320" --- For Cloud Platform to forward your logs to your destination service, you must have already installed a valid SSL certificate. When troubleshooting your SSL certificate, review the following SSL certificate issues and any returned [HTTP response codes](#log-forwarding-response-codes) to address the most common problems with log forwarding: * _Certificate expiration date_: The certificate’s expiration must be set to a date at least one month in the future. * _Valid public key_: Confirm that you have provided the correct public key for the SSL certificate that you have uploaded to the log forwarding service. * _Matching SSL certificates_: Confirm the [CA certificate](/acquia-cloud-platform/manage-apps/ssl/purchase#cloud-ssl-chain-certificates) you uploaded to the log forwarding destination infrastructure was signed with the same public key you uploaded to Cloud Platform. * _Certificate order_: If you are using bundled certificates, ensure the certificates in the chain are in the order they were generated. Your infrastructure’s certificate should be the first in the chain, and the final certificate in the chain should be the CA certificate for the signing authority. For more information, see [About SSL certificates and chain certificates](/acquia-cloud-platform/manage-apps/ssl/purchase#cloud-ssl-chain-certificates). * _Private key_: The private key and [certificate signing request](/acquia-cloud-platform/manage-apps/ssl/csr) (CSR) must be generated on the infrastructure on which you are installing the certificate for the certificate to install correctly. If the private key has been lost, the certificate must be reissued with a new CSR. Before you try to set up log forwarding: * Check if the destination is supported. * Ensure that there is no firewall, or IP blacklisting/IP allowlisting setup that can block the flow of logs. * If you use IP allowlisting on your log forwarding destination, you must have been assigned EIPs or Web EIPs in Cloud Platform. To know if these features are enabled, access the Cloud Platform user interface or visit [Using Elastic IP addresses](/acquia-cloud-platform/using-elastic-ip-addresses "Using Elastic IP addresses") and [Using Web Elastic IP addresses](/acquia-cloud-platform/using-web-elastic-ip-addresses "Using Web Elastic IP addresses"). * To forward logs from Cloud Platform balancers, you must add your EIPs to your allowlists. In addition, forwarding logs from web servers requires EIPs in Cloud Classic or Web EIPs in Cloud Next. Log forwarding response codes ----------------------------- After uploading your certificate to the log forwarding service, Cloud Platform attempts to evaluate the connection, and returns an error message if it can’t. The details for each of the following response codes can help you diagnose problems with your log forwarding configuration: Note: For Cloud Next applications, you can view the layer where log forwarding runs in the **Status** column in **Logs** > **Forward**: * Balancer layer or \[bal\]: Represents an issue with the balancer layer. * Web layer or \[web\]: Represents an issue with the web layer. Response code Error Description Applicable Cloud Platform version 100 Error on Multiple Layers The destination has configuration issues on both the balancer and web layers. The format of this error is: `[web][Error Code]Error Message [bal][Error Code]Error Message` Sample error message: `[web][301]ssl connection error [bal][401]Connection timed out` Cloud Next 200 _(None)_ The log forwarding service connected with the remote infrastructure. Cloud Next and Cloud Classic 301 SSL connection error Cloud Platform couldn’t establish a SSL connection with the log forwarding service. The error message should contain a stack trace. Cloud Next and Cloud Classic 302 SSL verification error SSL verification failed, the SSL certificate is invalid, or SSL is not accepted by the infrastructure. For more information, see the [Diagnostics section](https://www.openssl.org/docs/manmaster/man1/openssl-verify.html#DIAGNOSTICS) of the `openssl-verify` information page at OpenSSL.org. Cloud Next and Cloud Classic 303 Invalid key The SSL certificate wasn’t signed with the same key as the infrastructure’s SSL certificate. Cloud Next and Cloud Classic 401 Connection timed out The destination infrastructure hasn’t responded after a pre-determined period of time. The error message does not include information regarding the cause of the time out. Cloud Next and Cloud Classic 402 Connection refused The remote infrastructure being accessed isn’t configured to listen at the requested port, or has a firewall installed that’s rejecting the connection request initiated from Cloud Platform. Cloud Next and Cloud Classic 403 Connection aborted The client sent a TCP Reset (`RST`) response before the infrastructure accepted the connection requested by client. The remote infrastructure may have a firewall enabled, have NAT or router issues, a slow connection, or the infrastructure didn’t send the SSL/TLS closure notification as required by the SSL/TLS specifications. Cloud Next and Cloud Classic 404 Connection reset The destination infrastructure abruptly closed its end of the connection. Review the infrastructure logs on the destination infrastructure for application protocol errors and traffic spikes. Cloud Next and Cloud Classic 405 Socket error Communication between the Cloud Platform and destination infrastructure was blocked (such as by antivirus software or a firewall), a previously established network connection is terminated, or the destination infrastructure crashed or rebooted. Cloud Next and Cloud Classic 406 Host unreachable The log forwarding client cannot connect to the specified host. It might be that the host is on a private network. Cloud Next and Cloud Classic 407 Peer verification failed, please check the destination certificate chain matches the infrastructure certificate chain The log forwarding client can’t verify the infrastructure’s identity. Certificates are incorrect or missing. Use `openssl s_client` to check the infrastructure’s certificate chain. For example, `openssl s_client -showcerts -connect acquia.com:443` Make sure you’ve included in the log forwarding destination’s certificate field all the CA certificates from the chain in the listed depth order (biggest depth is last). Cloud Next and Cloud Classic 408 Installation Error Issue occurred during the setup of log forwarding resources. To resolve this issue, you can disable and re-enable the log forwarding destination. If the problem persists, [contact Acquia Support](/service-offerings/contacting-acquia-support "Contacting Acquia Support"). Cloud Next 500 Unknown An error not matching any of the previously described conditions has occurred. Cloud Next and Cloud Classic