Correct Input Settings

Hello Everyone. I was installed graylog on ubuntu 18 lts
I want see my other servers syslogs on graylog.
I was create input tcp with Syslog TCP 514 port.
When I look at tcpdump port 514, I can see the packages coming from the other server.

But I can not see any log in graylog. I think I can not choose correct input.
Because I create another input for test. This input is Raw/Plaintext TCP 514 and I can see raw log with this input.

Where do you think the error is?

Ensure that your inputs are starting properly.

By default, Graylog will not listen on ports <1024 as it doesn’t have permission to bind to those ports.

Hello thanks for answer but I made this config. I can see log with tcpdump port 514 and I can see raw input.

he @gelveri

what exactly did you configure?

Hello, I was config syslog tcp input.


my question was more - what possible solution you choose. It look like you have Graylog running now as root - because you have the input running on port 514.

What kind of data did you ingest? Did you checked if that data is following the syslog standard? Is the date format what it should be? Did you see any errors in the Graylog server.log?

When I create “Raw / Plaintext TCP” type input over port 514, I can see the following log.

<38>1 2020-01-27T09:29:58.660546+00:00 gelveriweb sshd 3376 - - Failed password for gelveri from port 60178 ssh2

This is a standard ubuntu system log.

But without making any other changes, I just change the type of input “Syslog Tcp”. It still works on the 514 port and it starts smoothly.

But now when I press the “Show received messages” button, I can’t see any logs.

I couldn’t see a log about it in “Graylog server.log”.

he @gelveri

you should add the following to your syslog configuration to make the format of the send messages in a way that Graylog can understand them:


The complete line would look similar to this:


Hello, thank you for your reply. I checked again after you said it. My rsyslog conf is the same as you said.
I must have made another mistake. But what ?
What else can I check?

can any body help me? :expressionless:

we have given multiple ideas what you can check , what might be the problem in your environment and what you need to configure how.

For everything you wrote “did it exactly like that, but it still does not work”.

Start playing Sherlock - check from the source of the message to the destination of the message if it can pass by. Using tools like netcat and telnet commands and similar. This community has lots of this commands/tooling named in different topics talking about connection issues. Great way to learn.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.