Graylog 2 not displaying TCP syslog messages

Hi,

I am very new to the forum and to Graylog.

I have just put it into my production environment (Debian 8.7 + Graylog 2.2.3). It works perfectly with UDP inputs, however I can’t get it to work with TCP inputs. From the tcpdump I can see that the server is receiving the packets from the sources (Palo Alto firewall, windows servers & Debian servers) but they do not reach Graylog and noting is displayed on the Inputs and search ages.

Has anybody seen similar behaviour?

Thank you in advance for any advice.

Peter

Try using a Raw/Plaintext TCP input for these messages.

Some devices aren’t sending valid syslog according to RFC 3164 or RFC 5424 and Graylog’s Syslog input is very strict about that.

Also see https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md.

Many thanks for a speedy reply! I will try that.

However my main problem is trying to implement Palo Alto Networks Content Pack from Graylog Marketplace. It requires Syslog tcp 5514 and Palo Alto Networks Firewall (or Panorama) with SYSLOG configured for tcp 5514 BSD format, no custom settings. The same configuration works ok on other (non-Graylog systems).

Any ideas?

I played around with SysLogHandler on python and found out the following:

SysLogHandler on python per default adds a 0x00 at the end of the line. You can switch this off.
Graylog TCP Syslog seems to expect a 0x0a (\n) at the end of the line.

For me, the following Python code works:

import logging
import logging.handlers
import socket
from syslog_rfc5424_formatter import RFC5424Formatter

my_logger = logging.getLogger('MyLogger')
my_logger.setLevel(logging.DEBUG)

handler = logging.handlers.SysLogHandler(address = ('0.0.0.0',8514),socktype=socket.SOCK_STREAM)
# some old syslog daemons expect a NUL terminator, but graylog will not work if a NUL terminator is appended.
handler.append_nul = False
handler.setFormatter(RFC5424Formatter())
my_logger.addHandler(handler)

my_logger.debug('wolfgang was here\n')