Connection refused from rsyslog on any port or protocal

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

New install on test environment.
Can’t get rsyslogs into Graylog server no matter what port or protocol I configure the input for.

2. Describe your environment:

  • OS Information: Rocky 9.7

  • Package Version: 4.22c

  • Service logs, configurations, and environment variables:
    rsyslogd[892]: cannot connect to xxx.xxx.xxx.xxx2514 Connection refused

  • Everything is on the same sub-net.
    allow_override_date:

    true

  • bind_address:

    0.0.0.0

  • charset_name:

    UTF-8

  • expand_structured_data:

    false

  • force_rdns:

    false

  • number_worker_threads:

    8

  • override_source:

  • port:

    2514

  • recv_buffer_size:

    262144

  • store_full_message:

    true

  • timezone:

    America/Chicago

3. What steps have you already taken to try and solve the problem?

Firewall disabled on all systems.
enforcement set to Permissive on all systems.
Can ping everything from everything

TCPDump on Graylog server shows test server sending packets:
IP GrayLog.facsys-ntp > gtest.46742: Flags [R.], seq 0, ack 3805805647, win 0, length 0
ARP, Request who-has GrayLog tell gtest, length 28
ARP, Reply GrayLog is-at 52:54:00:11:5e:79 (oui Unknown), length 28
ARP, Request who-has gtest tell GrayLog, length 28
ARP, Reply gtest is-at 52:54:00:f6:f8:11 (oui Unknown), length 28

4. How can the community help?
Why is nothing showing up in Graylog?
Input shows no data being recieved.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Are you sure the input it actually running. I say this because inputs now go into setup mode when created, and do not start until that is completed.

3

I rebuilt the input and received the following message:
Success

Input ‘Rsyslog UDP’ launched successfully
…………..

No data is showing as being received in the Graylog console.

4

On the client computer the following shows up in the system log:
gtest rsyslogd[892]: cannot connect to 172.xxx.xxxx.xxx:2514 (took 0.0 seconds): Connection refused

In the Graylog console for the Input, I see this:
Lifecycle state: Running

5

Is it possible locally to telnet to the port locally:

Possibilities should be visible with ‘$ netstat -an | grep 2514’
to see where and if the port is listening. It should be bound to the hosts IP adres and/or 0.0.0.0

6

$ netstat -an | grep 2514
udp6 0 0 :::2514 :::*
udp6 0 0 :::2514 :::*
udp6 0 0 :::2514 :::*
udp6 0 0 :::2514 :::sparkles:

We are not using IPv6 at all.

7

Really strange, your config is fine and there is nothing listening on ipv4.

here tcp4 is one 0.0.0.0:8514 listening, and all others active working on host-ip:8514 (rocky linux 8 / Graylog 6.1)

Is it possible to disable ipv6 completely, it is prone to these kind of issue’s sometimes.