I have just put it into my production environment (Debian 8.7 + Graylog 2.2.3). It works perfectly with UDP inputs, however I can’t get it to work with TCP inputs. From the tcpdump I can see that the server is receiving the packets from the sources (Palo Alto firewall, windows servers & Debian servers) but they do not reach Graylog and noting is displayed on the Inputs and search ages.
However my main problem is trying to implement Palo Alto Networks Content Pack from Graylog Marketplace. It requires Syslog tcp 5514 and Palo Alto Networks Firewall (or Panorama) with SYSLOG configured for tcp 5514 BSD format, no custom settings. The same configuration works ok on other (non-Graylog systems).
I played around with SysLogHandler on python and found out the following:
SysLogHandler on python per default adds a 0x00 at the end of the line. You can switch this off.
Graylog TCP Syslog seems to expect a 0x0a (\n) at the end of the line.
For me, the following Python code works:
import logging
import logging.handlers
import socket
from syslog_rfc5424_formatter import RFC5424Formatter
my_logger = logging.getLogger('MyLogger')
my_logger.setLevel(logging.DEBUG)
handler = logging.handlers.SysLogHandler(address = ('0.0.0.0',8514),socktype=socket.SOCK_STREAM)
# some old syslog daemons expect a NUL terminator, but graylog will not work if a NUL terminator is appended.
handler.append_nul = False
handler.setFormatter(RFC5424Formatter())
my_logger.addHandler(handler)
my_logger.debug('wolfgang was here\n')