Graylog new install no messages received

mlm · November 6, 2018, 3:07pm

hi,
New install on CentOS 7.5, did redirect to port 1514
REDIRECT tcp – anywhere anywhere tcp dpt:shell redir ports 1514
REDIRECT udp – anywhere anywhere udp dpt:syslog redir ports 1514
tcpdump show traffic:

tcpdump -i em1 -v port 514
tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 262144 bytes
09:48:46.394623 IP6 (hlim 64, next-header TCP (6) payload length: 233) 2606:4100:38a0:242:d267:e5ff:feec:de35.59320 > zeke.sr.unh.edu.shell: Flags [P.], cksum 0xec25 (correct), seq 1232935553:1232935766, ack 2477132521, win 14400, length 213
09:48:46.394681 IP6 (hlim 64, next-header TCP (6) payload length: 20) zeke.sr.unh.edu.shell > 2606:4100:38a0:242:d267:e5ff:feec:de35.59320: Flags [.], cksum 0xd9b5 (incorrect -> 0xeafa), ack 213, win 65056, length 0
09:48:46.485803 IP6 (flowlabel 0x5d7a6, hlim 63, next-header TCP (6) payload length: 182) 2606:4100:38a0:243:d6ae:52ff:fe8b:e78b.46076 > zeke.sr.unh.edu.shell: Flags [P.], cksum 0x6a8e (correct), seq 2000213351:2000213501, ack 1096383653, win 225, options [nop,nop,TS val 756930448 ecr 834729], length 150
09:48:46.485867 IP6 (hlim 64, next-header TCP (6) payload length: 32) zeke.sr.unh.edu.shell > 2606:4100:38a0:243:d6ae:52ff:fe8b:e78b.46076: Flags [.], cksum 0x53fe (incorrect -> 0xa3f7), ack 150, win 133, options [nop,nop,TS val 964729 ecr 756930448], length 0

added two inputs syslog TCP and UDP, both running, neither shows any messages.
tried binding to 127.0.0.1; ::1 and its ipv4 address and ipv6 address

remote-host Syslog UDP RUNNING
On node 5f217766 / zeke.sr.unh.edu

allow_override_date:
 true
bind_address:
 132.177.242.40
expand_structured_data:
 true
force_rdns:
 false
override_source:
 <empty>
port:
 1514
recv_buffer_size:
 262144
store_full_message:
 true

Throughput / Metrics
1 minute average rate: 0 msg/s
Network IO: 0B 0B (total: 0B 0B )
Empty messages discarded: 0
remote-host Syslog TCP RUNNING
On node 5f217766 / zeke.sr.unh.edu

allow_override_date:
 true
bind_address:
 132.177.242.40
expand_structured_data:
 false

force_rdns:
false
max_message_size:
2097152
override_source:

port:
1514
recv_buffer_size:
1048576
store_full_message:
false
tcp_keepalive:
false
tls_cert_file:

tls_client_auth:
disabled
tls_client_auth_cert_file:

tls_enable:
false
tls_key_file:
admin
tls_key_password:

use_null_delimiter:
false

So which log should I be looking at to find out why this is not working?

Mark

jan · November 6, 2018, 3:22pm

how did you configure your remote source to send the data?

mlm · November 6, 2018, 3:24pm

An on-disk queue is created for this action. If the remote host is

down, messages are spooled to disk and sent when it is up again.

#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down

remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

. @@remote-host:514,RSYSLOG_SyslogProtocol23Format

### end of the forwarding rule

jan · November 6, 2018, 3:45pm

you have bind your input to 132.177.242.40 but your sending server is configured to use 192.168.0.1 that is not going to work …

mlm · November 6, 2018, 4:11pm

hi,

actually have a cname in place

host remote-host
remote-host.sr.unh.edu is an alias for zeke.sr.unh.edu.
zeke.sr.unh.edu has address 132.177.242.40
zeke.sr.unh.edu has IPv6 address 2606:4100:38a0:242::40

jan · November 6, 2018, 7:26pm

it would be actually better to understand and debug if you put a little styling to your postings.

https://community.graylog.org/faq#format-markdown

did you try to send Log data via Netcat from different location?

echo ‘<14>sourcehost message text’ | nc -v -u -w 0 localhost 514

mlm · November 6, 2018, 7:47pm

hi,

It was firewall rules, though they looked correct they were not.
I verified it by turning off firewalld and could telnet graylog-server 514 on both ipv4 and ipv6
added fhe following rules and
command I used to fix firewall

firewall-cmd --zone=“public” --add-forward-port=port=514:proto=udp:toport=1514 --permanent
firewall-cmd --zone=“public” --add-forward-port=port=514:proto=tcp:toport=1514 --permanent