Don't receive syslog on graylog


(alban) #1

Hi,

I don’t receive log on graylog interface but when i do a tcpdump, i receive log on server.

tcpdump -i any -v ‘port 514’

Why i can’t see on graylog interface ?


input

Have you an idea ?

For information, i redirect 514 port to 1514

]# iptables -t nat --list
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT udp – anywhere anywhere udp dpt:syslog redir ports 1514


(Jan Doberstein) #2

just a guess - try RAW/Plaintext input. The timestamp of your messages might not fit what the syslog input expects as a valid timestamp …


(alban) #3

i try with RAW/Plaintext input, i receive many logs butnot all.

Example :
With tcpdump, i have lot of message of my equipments (firewall, controller wifi,…)
Green is log receive on graylog interface and red is log don’t receive on graylog interface

i receive only data from firewall bfw-secondary (ip ending by 4)
No logs of Aruba (controller Wifi) and other firewall (ip ending by 5)


(Jan Doberstein) #4

and what is inside of your Graylog server.log?


(alban) #5

i have this


(Jan Doberstein) #6

With that nobody would be able to help you.

You need to check if you see entries about dropped messages or similar. My initial guess is still that the time and date give at this devices is in the wron format (let the messages drop out) or with a timestamp that is not the actuall time.


(alban) #7

where can i check entries about dropped messages or similar ?


(Jan Doberstein) #8

Your Graylog server.log should give you the information. Depending on your installation it can be placed in different locations. Please find the right one following the default file guide: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html


(Rob) #9

Complete guess on my side… but why is your receive buffer empty?


(alban) #10

I increased udp buffer but no change

before : net.core.rmem_max = 212992
now : net.core.rmem_max = 26214400


(alban) #11

i checked graylog server.log, i don’t find any error.
Truly, i d’ont understand why i have these message with tcpdump command :


09:05:12.356885 IP (tos 0x0, ttl 63, id 13705, offset 0, flags [DF], proto UDP (17), length 551)
bfw-primary.ipsec-nat-t > graylog…syslog: UDP-encap: ESP(spi=0x3c31343e,seq=0x4a756c20), length 523

09:05:13.862881 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto UDP (17), length 212)
aruba.syslog > graylog.syslog: SYSLOG, length: 184
Facility local1 (17), Severity error (3)
Msg: Jul 26 08:05:13 2018 Aruba650 syslogdwrap[2405]: PAPI_Send: sendto BOC Manager failed: No such file or directory Message Code 1003 Sequence Num is 41174


and not on graylog interface


(alban) #12

i restarted graylog server and now, i received all messages…WTF !!


(system) #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.