I have mt Gray log server configured and added the syslog UDP input but when I setup a couple devices to send logs I am not receiving anything on the Graylog server. I am not sure where to begin looking for a problem as this is all new to me.
Running sudo tcpdump -i ens160 host 10.53.9.9 and udp port 5140 I do see traffic but if I just run sudo tcpdump -i ens160 host 127.0.0.1 and udp port 5140 I get nothing.
Thanks Bahram, That is not my issue I am using 5140 for my input and have my firewall configured to send on the same port. I am able to start the input just fine.
Can you say more precisely how you do it?
Your first tcpdump command does make sense, but second not. You tried to dump connections from localhost and port 5140, but there is nothing because, you probably don’t send any logs from localhost.
So if you want to show all connection to port 5140, try to use command without “host 127.0.0.1 and”:
tcpdump -i ens160 host 127.0.0.1 and udp port 5140
If you want also check content of the syslog messages use:
sudo tcpdump -nnAs0 -i ens160 udp port 40514
For your problem not getting anything to graylog. Try to check these things:
- If you are logged as admin user, try to setup correct timezone parameter in server.conf, parameter root_timezone
root_timezone = Europe/Bratislava
Replace Europe/Bratislava with your real timezone.
Restart graylog server
sudo systemctl restart graylog.service
If not help, maybe your devices use non-standard syslog format without proper timestamp, try to check parameter “Allow overriding date?” in your input
If none works try to replace Syslog UDP with RAW UDP Input.
Hope this helps.
I found the problem. When Setting up the input for bind address I was using 127.0.0.1. For some reason that does not work. When I changed it to 0.0.0.0 everything started flowing in.