Connection refused on any Port except 9000, 9200, 9300


(Marc) #1

Hey there,

i am a newbie in Graylog and i set it up for the first Time on a clean Ubuntu 16.04. I can reach the WebUI and i am able to pull Input on the API. Now i am trying to send Syslogs from my Sophos UTM 9. I found some Extractors on the Marketplace wich i am going to use. Now i created a new RAW/Plaintext UDP on Port 5555. I set up the UTM to send the logs to the Graylog. This is the outcome from the Sophos:

2018:10:04-16:32:17 utm syslog-ng[5403]: Syslog connection failed; fd=‘68’, server=‘AF_INET(172.16.1.54:5555)’, error=‘Connection refused (111)’, time_reopen=‘60’

i tried to curl a telnet connection to the Port directly on the Server but i only got a Connection refused message.

connect to 172.16.1.54 port 5555 failed: Connection refused

the Firewall is disabled

netstat -lun

roto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:33911 0.0.0.0:*
udp6 0 0 :::5414 :::*
udp6 0 0 172.16.1.54:5555 :::*
udp6 0 0 172.16.1.54:12201 :::*
udp6 0 0 172.16.1.54:8514 :::*

i tried to reboot the Server several Times

Anyone knows these Issue?


(Jan Doberstein) #2

Did you checked if you have kind of firewall active on the Graylog?


(Marc) #3

Do u mean the Graylog himself or the Server? On the Server the Firewall is disabled. If u ment the Graylog I need to know where I have to look for it


#4

Hi,

are you sure you are using UDP in the rsyslog side? UDP is connectionless, so there should be no attempt to make a connection, if you use UDP.

Personally, I like TCP, so I would set up the input in TCP (and use rsyslog type input), and configure rsyslog to send in TCP.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.