Error in TCP session Input

Ubuntu 22.04 VM, which is using as rsyslog proxy, can’t write logs to graylog server. Traffic is allowed, I see packets at pcap at graylog server, FW rules are correct - but still data is not populated to database.

From proxy VM:
2023-08-31 13:55:22 err omfwd: remote server at X.X.X.X:X seems to have closed connection. This often happens when the remote peer (or an interim system like a load balancer or firewall) shuts down or aborts a connection. Rsyslog will re-open the connection if configured to do so (we saw a generic IO Error, which usually goes along with that behaviour). [v8.2112.0 try You searched for error 2027 - rsyslog ]

From graylog server logs:
2023-08-31T 13:55:59.431+03:00 ERROR [AbstractTcpTransport] Error in Input [Syslog TCP/64f06269941d683a58d4a6d6] (channel [id: 0xa4905200, L:/X.X.X.X:X ! R:/X.X.X.X:X]) (cause io.netty.handler.codec.DecoderException: java.lang.NumberFormatException: For input string: “2023-08-31”)

Any idea what can be the issue?

It appears that the log message(s) are not rfc3164 or rfc5424 compliant.

As a workaround you can try using a Raw/Plaintext input:

Thanks for fast answer. Solved. :+1:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.