Graylog 2 not displaying TCP syslog messages


#1

Hi,

I am very new to the forum and to Graylog.

I have just put it into my production environment (Debian 8.7 + Graylog 2.2.3). It works perfectly with UDP inputs, however I can’t get it to work with TCP inputs. From the tcpdump I can see that the server is receiving the packets from the sources (Palo Alto firewall, windows servers & Debian servers) but they do not reach Graylog and noting is displayed on the Inputs and search ages.

Has anybody seen similar behaviour?

Thank you in advance for any advice.

Peter


(Jochen) #2

Try using a Raw/Plaintext TCP input for these messages.

Some devices aren’t sending valid syslog according to RFC 3164 or RFC 5424 and Graylog’s Syslog input is very strict about that.

Also see https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md.


#3

Many thanks for a speedy reply! I will try that.

However my main problem is trying to implement Palo Alto Networks Content Pack from Graylog Marketplace. It requires Syslog tcp 5514 and Palo Alto Networks Firewall (or Panorama) with SYSLOG configured for tcp 5514 BSD format, no custom settings. The same configuration works ok on other (non-Graylog systems).

Any ideas?