Graylog 4.2.4 is not parsing all syslog messages it receives

myky · December 23, 2021, 6:50pm

Hi guys,

I have just installed Graylog 4.2.4 in my home environment; please see details below:
MongoDB shell version v4.4.10
Elasrichserach version 7.10.2

For some reason, Graylog only displays messages that it receives from the same network (192.168.1.0/24).
It also gets Syslog messages from other networks (192.168.4.0/24 and 192.168.14.0/24), but they don’t appear in the search:

root@graylog:~# tcpdump -i eth0 net 192.168.4.0/24 or net 192.168.14.0/24
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:48:04.627106 IP 192.168.14.1.48250 > graylog.syslog: SYSLOG daemon.info, length: 119
18:48:05.609281 IP 192.168.4.27.49892 > graylog.syslog: SYSLOG user.info, length: 305
18:48:05.634475 IP 192.168.14.1.48250 > graylog.syslog: SYSLOG daemon.info, length: 118
18:48:05.911361 IP 192.168.14.44.58829 > graylog.syslog: SYSLOG kernel.warning, length: 131
18:48:05.929977 IP 192.168.14.44.58829 > graylog.syslog: SYSLOG daemon.notice, length: 216
18:48:05.930884 IP 192.168.14.44.58829 > graylog.syslog: SYSLOG kernel.warning, length: 142
18:48:06.137461 IP 192.168.14.44.58829 > graylog.syslog: SYSLOG daemon.notice, length: 216
18:48:06.139261 IP 192.168.14.44.58829 > graylog.syslog: SYSLOG kernel.warning, length: 128
18:48:07.215159 IP 192.168.4.27.49892 > graylog.syslog: SYSLOG daemon.notice, length: 239
18:48:08.609482 IP 192.168.4.24.34311 > graylog.syslog: SYSLOG user.info, length: 273
18:48:08.757890 IP 192.168.14.1.48250 > graylog.syslog: SYSLOG daemon.info, length: 131
^C
11 packets captured
11 packets received by filter
0 packets dropped by kernel
root@graylog:~#

tcpdump shows that the server gets messages but they dont seem to get parsed:

Input setting below:

UDP Syslog Input Syslog UDP

RUNNING

On node 72209db4 / graylog

allow_override_date:

true

bind_address:

192.168.1.11

expand_structured_data:

false

force_rdns:

false

number_worker_threads:

4

override_source:

port:

1514

recv_buffer_size:

262144

store_full_message:

true

Thanks,
myky

myky · December 24, 2021, 11:04am

False-positive, guys.
Logs are now displayed:

logs

It took some time tho

gsmith · December 31, 2021, 12:43am

Nice, Could you explain how you resolved this?

myky · December 31, 2021, 9:07am

Hey @gsmith

I haven’t done anything tbh, eventually, I could see all logs in the dashboard after some time (I had a fresh install).

Thanks,
myky

system · January 14, 2022, 9:07am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Not receiving any syslog messages Graylog Central (peer support) basic-configuration	4	2777	April 27, 2022
Graylog server missing logs from some sources Graylog Central (peer support)	4	1133	November 23, 2022
Syslog messages don't arrive on graylog, but shown in tcpdump Graylog Central (peer support)	5	3260	August 21, 2017
Graylog not found any syslog Graylog Central (peer support) basic-configuration , elastic	7	662	May 12, 2022
Traffic from other subnet Graylog Central (peer support)	3	772	September 4, 2017

Graylog 4.2.4 is not parsing all syslog messages it receives

UDP Syslog Input Syslog UDP

Related topics