Collecting Syslog

I have mt Gray log server configured and added the syslog UDP input but when I setup a couple devices to send logs I am not receiving anything on the Graylog server. I am not sure where to begin looking for a problem as this is all new to me.

Running sudo tcpdump -i ens160 host and udp port 5140 I do see traffic but if I just run sudo tcpdump -i ens160 host and udp port 5140 I get nothing.

Hi, woodworth

Thanks Bahram, That is not my issue I am using 5140 for my input and have my firewall configured to send on the same port. I am able to start the input just fine.


Can you say more precisely how you do it?

Hello @woodworth

Your first tcpdump command does make sense, but second not. You tried to dump connections from localhost and port 5140, but there is nothing because, you probably don’t send any logs from localhost.

So if you want to show all connection to port 5140, try to use command without “host and”:

tcpdump -i ens160 host and udp port 5140

If you want also check content of the syslog messages use:

sudo tcpdump -nnAs0 -i ens160 udp port 40514

For your problem not getting anything to graylog. Try to check these things:

  1. If you are logged as admin user, try to setup correct timezone parameter in server.conf, parameter root_timezone

vim /etc/graylog/server/graylog.conf
root_timezone = Europe/Bratislava

Replace Europe/Bratislava with your real timezone.

  1. Restart graylog server
    sudo systemctl restart graylog.service

  2. If not help, maybe your devices use non-standard syslog format without proper timestamp, try to check parameter “Allow overriding date?” in your input

  3. If none works try to replace Syslog UDP with RAW UDP Input.

Hope this helps.

I found the problem. When Setting up the input for bind address I was using For some reason that does not work. When I changed it to everything started flowing in.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.