Graylog 3.0 is not accepting syslog messages other than from localhost

Over the past year, I’ve installed Graylog twice. Both times I have the same issue. The first time, after the installation, I made the mistake of upgrading all of my installed packages which was a disaster. So I cut bait and started over. I have spend many days searching for a solution so I apologize for a duplicate submission.
For both of my installations, I followed the instructions shown in:

I watched this video more times than I can count and I’m certain I followed all of the steps.
I’m a Cisco network engineer so I understand firewalls and port forwarding, and I know some fundamentals of Unix (yes, I was doing Unix in the latter 1990’s).
I believe my issue is with the firewall. If I attempt to telnet into my Graylog server over 514, it fails. It appears that I have the firewall configured correctly:
[root@Graylog sysconfig]# firewall-cmd --list-ports
9000/tcp 514/udp 514/tcp
I’m trying to send syslogs from my Unifi controller to the Graylog server over UDP/514. Nothing is appearing on the Graylog dashboard.
I’m port forwarding:
/etc/sysconfig/iptables contains:
-A PREROUTING -p tcp -m tcp --dport 514 -j REDIRECT --to-ports 1514
-A PREROUTING -p udp -m udp --dport 514 -j REDIRECT --to-ports 1514
I have a Graylog Input configure for UDP Syslog, UDP/1514.
I am able to see local syslogs in Graylog.
Is there something missing in this video?

Upon further investigation, it appears my server is not listening on port 514:
[root@Graylog ~]# netstat -anp | grep 514
udp6 0 0 :::1514 :::* 4674/java
udp6 0 0 :::1514 :::* 4674/java

so I modified /etc/rsyslog.conf and uncommented out these lines:
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514

Restarted rsyslog:
systemctl restart rsyslog

And it looks like I’m listening on port 514:
[root@Graylog etc]# netstat -antup | grep 514
tcp 0 0* LISTEN 7826/rsyslogd
tcp6 0 0 :::514 :::* LISTEN 7826/rsyslogd
udp 0 0* 7826/rsyslogd
udp6 0 0 :::1514 :::* 4674/java
udp6 0 0 :::1514 :::* 4674/java
udp6 0 0 :::514 :::* 7826/rsyslogd

However, I still cannot telnet over 514.
I’ve been running Wireshark on this traffic and nothing is changing:
I send a SYN packet over tcp/514 from my Windows computer to the CentOS server and receive a [RST, ACK] back.
Anyone, please?

Is there a reason you are also using rsyslog server?

Honestly, I didn’t know I was using rsyslog. I’m just trying to get my Graylog server to accept logs. I’m new to this and am finding very little assistance troubleshooting this issue. I use a Graylog server at work, love it’s interface, and would like to have one at my home. I’m missing something simple but can’t figure out what that is.

You mix 2 things. Graylog with syslog at same server, don’t do it you don’t know what are you doing.

Don’t setup rsyslog to listen on port 514. Graylog doesn’t use rsyslog at all, it’s able to receive logs without local rsyslog.
If you want to redirect using firewalld-d use:
firewall-cmd --permenent --direct --add-rule ipv4 nat PREROUTING 0 -p udp --dport 514 -j REDIRECT --to-ports 1670

Not sure if you are trying to install on a server that you are using for something else, but shared servers have their own set of issues that are difficult to isolate and troubleshoot via a forum. If this is a pristine environment, setting this it up is pretty straight forward. and we’ll be happy to try and help.

Couple things to consider.

  • If this is a “small” deployment, consider installing via the OVA and virtualbox. It’s arguably the easiest, simplest, way to quickly get it up and running.
  • If you want to (and I do recommend this) do a manual install, the steps are well documented in the docs.
  • If you can do that, a clean install of Ubuntu may be best as the documentation is mostly written against that distro. Other linux distros are supported of course… but Ubuntu is great and user friendly.
  • If this is internal home useage, you can probably disable SElinux if you are running it. (but there is really no need to)

As @shoothub mentions, you should use the firewall-cmd command to modify the firewall… but you will need to restart it after you make those changes. For more info:

Also, have you checked your Unifi to see if you can send directly to 1514?

From the attached video I used to configure this, the presenter, whom I don’t believe identifies himself, says to configure:
iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
iptables-save > /etc/sysconfig/iptables
This differs slightly from what you suggest. Should I remove my config and try yours? I’m willing to try anything at this point.
I do understand using a port greater than 1024 and that the presenter chose 1514 and you’re using 1670. I can modify it to meet my needs.

Hi cawfehman,
I followed the attached video step by step. The video seems to be produced by someone at Graylog. I also followed the documentation on the Graylog website. I think the presenter was following this same document while creating this video. The documentation for CentOS 7 and Graylog 3.0 does not seem to be available on this website any longer.
I’m using an older Dell PC for this so it would be considered a “small” deployment. I have a home-built Windows 2016 Server Essentials and have been considering replacing it with something that can handle VMware or the like, but I don’t have the funds for that right now. I’m leaning towards a Synology 4-5 bay NAS because it will be a little cheaper. And it includes a syslog server built-in. I will also consider switching to Ubuntu on my Dell box if I can find good instructions or video.
When I was testing with a telnet to 514, I was also testing a telnet to 1514. Either my server is blocking those ports or it’s not listening on these ports.
I appreciate you both responding. I would really like to get this working. I think my next steps are as you suggested, wiping the box and starting with Ubuntu. If that fails, I’ll look at running something like Syslog Watcher on my Windows server.
Thank you.

I’m happy to report, after wiping my current CentOS 7/Graylog 3.0 server, and following the instructions to create a Ubuntu 18.04.4/Graylog 3.2 server, Graylog is working.
I have one bug to work out. When I started Graylog for the first time, I needed to create “Inputs”, for which I did a Syslog UDP on port 1514. I also pointed my Unifi controller to port 1514.
After doing that, I switched to Search view. Nothing was appearing. When I went back to the Syslog UDP inputs and selected, “Show received message”, I could now see my Unifi controller syslogs.
If I log out of Graylog and log back in, my default view does not show my syslogs until I repeat the process above. How do I make this view my default?

Check your time Time frame selector:

I’m going to call this case closed.
I will open a new thread in regard to, when I start Graylog, it doesn’t show my systogs by default. I need to click System, Inputs (I only have one configured), and click “Show received messages” before I can see syslogs.
Thank you for your assistance with this case guys. Now that I look back, I’ll bet my CentOS/Graylog 3.0 was working, I just needed to do the step described above.
Happy Computing!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.