I have rather peculiar problem. I need to get Mikrotik remote logs into Graylog server. The Google is full of topics that it can’t be done. I disagree! At first I dig out that the RB450G seires router is sending UDP packet payload like this:
…’.,.L^.`…E…@.@…,…firewall,info RB450G: ---- REMOVED MESSAGE ----
22:43:58.568447 IP 0.0.0.0.44914 > 0.0.0.0.11514: UDP, length 154
And the hap series router is sending rather different packet payload:
…r,…firewall,info RB951UI: ---- REMOVED MESSAGE ----
22:43:58.662620 IP 0.0.0.0.39551 > 0.0.0.0.11514: UDP, length 150
I almost gave up but then I got it working in my home lab. Graylog version 3.1.3. Now I do not know what to think.
I can see with tcpdump that packets are coming from every type of router but Graylog only reads RB450G router logs.
Home lab Graylog version 3.1.3 (Ubuntu server 16.04.6 LTS)
Production Graylog version 3.2.2 (Ubuntu server 16.04.6 LTS)
Home lab and production configurations and inputs are exactly the same.
server.conf is with defaults:
http_bind_address = 0.0.0.0:9000
Syslog UDP input:
Do I really have to degrade Graylog to version 3.1.3? Still the fact is that tcpdump is showing that the logs are coming to Graylog server and the point must be in log parsing or in server.