alban
(alban)
July 25, 2018, 11:26am
1
Hi,
I don’t receive log on graylog interface but when i do a tcpdump, i receive log on server.
tcpdump -i any -v ‘port 514’
Why i can’t see on graylog interface ?
Have you an idea ?
For information, i redirect 514 port to 1514
]# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT udp – anywhere anywhere udp dpt:syslog redir ports 1514
jan
(Jan Doberstein)
July 25, 2018, 11:57am
2
just a guess - try RAW/Plaintext input. The timestamp of your messages might not fit what the syslog input expects as a valid timestamp …
alban
(alban)
July 25, 2018, 12:44pm
3
i try with RAW/Plaintext input, i receive many logs butnot all.
Example :
With tcpdump, i have lot of message of my equipments (firewall, controller wifi,…)
Green is log receive on graylog interface and red is log don’t receive on graylog interface
i receive only data from firewall bfw-secondary (ip ending by 4)
No logs of Aruba (controller Wifi) and other firewall (ip ending by 5)
jan
(Jan Doberstein)
July 25, 2018, 1:28pm
4
and what is inside of your Graylog server.log?
jan
(Jan Doberstein)
July 25, 2018, 1:47pm
6
With that nobody would be able to help you.
You need to check if you see entries about dropped messages or similar. My initial guess is still that the time and date give at this devices is in the wron format (let the messages drop out) or with a timestamp that is not the actuall time.
alban
(alban)
July 25, 2018, 1:57pm
7
where can i check entries about dropped messages or similar ?
jan
(Jan Doberstein)
July 25, 2018, 2:30pm
8
Your Graylog server.log should give you the information. Depending on your installation it can be placed in different locations. Please find the right one following the default file guide: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html
rivera
(Rob)
July 25, 2018, 4:20pm
9
Complete guess on my side… but why is your receive buffer empty?
alban
(alban)
July 26, 2018, 6:28am
10
I increased udp buffer but no change
before : net.core.rmem_max = 212992
now : net.core.rmem_max = 26214400
alban
(alban)
July 26, 2018, 9:54am
11
i checked graylog server.log, i don’t find any error.
Truly, i d’ont understand why i have these message with tcpdump command :
09:05:12.356885 IP (tos 0x0, ttl 63, id 13705, offset 0, flags [DF], proto UDP (17), length 551)
bfw-primary.ipsec-nat-t > graylog…syslog: UDP-encap: ESP(spi=0x3c31343e,seq=0x4a756c20), length 523
09:05:13.862881 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 212)
aruba.syslog > graylog.syslog: SYSLOG, length: 184
Facility local1 (17), Severity error (3)
Msg: Jul 26 08:05:13 2018 Aruba650 syslogdwrap[2405]: PAPI_Send: sendto BOC Manager failed: No such file or directory Message Code 1003 Sequence Num is 41174
and not on graylog interface
alban
(alban)
July 26, 2018, 10:08am
12
i restarted graylog server and now, i received all messages…WTF !!
system
(system)
Closed
August 9, 2018, 10:08am
13
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.