Graylog 3.2 Not Accepting/Receiving Messages

setup.sh · June 1, 2020, 9:11pm

OS: CentOS 8.1.1911 (Core) x64

VLAN 11 (virsh Machines): 10.10.11.0/24
VLAN 1 (default LAN): 10.10.10.0/24
Router: 10.10.10.1 (/24)
Graylog VM: 10.10.11.11

I’ve set up an input collector for Syslog UDP Port 1514 and it looks like other configured hosts are sending without issue as I can see the incoming traffic with tcpdump but Graylog states that there are no incoming messages.

Logs would suggest there’s no issues:

2020-06-01T16:05:25.019-05:00 INFO  [InputStateListener] Input [Syslog UDP/5ed551ce3e30c31329a51a8b] is now STARTING
2020-06-01T16:05:25.019-05:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=Network Devices, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=8e253e8b-1f48-4153-af81-badb6dfee78c} (channel [id: 0x2115e711, L:/10.10.11.11:1514]) should be 262144 but is 425984.
2020-06-01T16:05:25.023-05:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=Network Devices, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=8e253e8b-1f48-4153-af81-badb6dfee78c} (channel [id: 0x40523a7a, L:/10.10.11.11:1514]) should be 262144 but is 425984.
2020-06-01T16:05:25.024-05:00 INFO  [InputStateListener] Input [Syslog UDP/5ed551ce3e30c31329a51a8b] is now RUNNING

…and tcpdump shows the traffic coming in from the router (currently configured to point @ 10.10.11.11:1514 UDP:

16:09:46.783645 IP 10.10.11.1.39850 > 10.10.11.11.1514: UDP, length 142
16:09:46.786016 IP 10.10.11.1.39850 > 10.10.11.11.1514: UDP, length 95
16:09:47.136468 IP 10.10.11.1.39850 > 10.10.11.11.1514: UDP, length 84
16:09:51.749061 IP 10.10.11.1.39850 > 10.10.11.11.1514: UDP, length 191
16:09:51.761048 IP 10.10.11.1.39850 > 10.10.11.11.1514: UDP, length 193
16:09:51.765062 IP 10.10.11.1.39850 > 10.10.11.11.1514: UDP, length 193

Despite this, Graylog states that there are no incoming messages for the input.

I’m unsure of where else to look.

I’m not looking for the answer but looking more for someone to point me in the right direction.

Thanks!

Edit: Added some basic Infrastructure information.

setup.sh · June 2, 2020, 4:12am

Solved this on my own.

The logs are coming from an Ubiquiti Edgerouter-X and apparently most of the syslog output does not get parsed correctly for a Syslog UDP/TCP Input in Graylog.

Switching over to RAW UDP/TCP resolved it and It’s not receiving those messages from the router.

I believe you can actually send the syslogs over to a different linux machine and then have that machine deliver the Syslog formatted messages to Graylog and this, in turn, will work with Syslog TCP/UDP inputs in Graylog.

system · June 16, 2020, 4:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Gray log server not receiving logs Graylog Central (peer support)	3	308	March 12, 2024
No Messages in Syslog UDP/5141 Input Graylog Central (peer support)	14	3685	January 22, 2021
UDP inputs not working Graylog Central (peer support)	3	7737	January 3, 2019
Syslog messages don't arrive on graylog, but shown in tcpdump Graylog Central (peer support)	5	3148	August 21, 2017
Suddenly Graylog inputs stop receiving messages? Graylog Central (peer support)	9	5443	July 4, 2018

Graylog 3.2 Not Accepting/Receiving Messages

Related topics