Graylog Cisco Switch Input Failed

Hi Everybody

Hello to everyone
We are trying to get a log on Cisco switch.
We just installed the Graylog system, but when I add an Input device, I get the error. Syslog udp does not work on the server with the standard 514 installed even though we have activated the following command.
iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
When we look at the logs, Permission gives a denied error.
[UdpTransport] Failed to start channel for input SyslogUDPInput {title = E1_Switch, type = org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId = 7930013d-3972-408b-9058-7d42ad7db82d}
io.netty.channel.unix.Errors NativeIoException: bind (..) failed: Permission denied 2020-01-29T14: 06: 35.309 + 03: 00 ERROR [InputLauncher] The [org.graylog2.inputs.syslog.udp.SyslogUDPInput] input with ID <5e31673b0d4a5709066a8e14> misfired. Reason: bind (..) failed: Permission denied. org.graylog2.plugin.inputs.MisfireException: org.graylog2.plugin.inputs.MisfireException: io.netty.channel.unix.Errors NativeIoException: bind (…) failed: Permission denied

he @ous

please sort your thoughts and write a proper description that does not leave the peopel that try to help you with a big questionmark … or that they need to guess what your problem is.

I guess that you setup wrong port number in you Input in graylog, please check that you use port 1514 a not 514.

Hi @jan @shoothub

I want to keep the log records of cisco switches in my system in graylog.
I wrote the necessary commands in Cisco Swicth. But I get the failed warning in graylog. I know that the udp port in the graylog is 1514.
I entered the necessary iptables command to the graylog server for this, but I still get the failed warning. When I looked at the server graylog server.log I saw Permision denied alerts.
I changed the udp port and made port forwarding.
I am waiting for your support on the subject.

If I were you, I would try:

  1. Change bind_address to 0.0.0.0 in Input.
  2. Try to lower number of number_worker_threads: to 2
  3. After each change, try to start Input with Start input button and check log.
  4. Check if the port 1514 isn’t used by another process: ss -ulpn | grep 1514
  5. Check if you have selinux activated, if yes change to permissive or disabled.
  6. If won’t help, try to create new Input with default parameter, change only non-used port to >1024 (other than 1514)
  7. If cisco can change syslog port to other than 514, change it directly to graylog input port, so don’t iptables to redirect
1 Like

Hi
I get a warning that says 1 I shared in the picture.
Do you have any information about this warning?
How do I provide a solution.

What recommendations I posted, did you tried? Post actual parameters of Input…

when you use the parameter provided here:

follow the guidance here:

And to fix this:

follow the guidance here:

Hi
I tried what you said is working
Thank you

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.