Graylog not reading/picking up Logs


#1

Hi,

I’m currently attempting to get Graylog working and see what I can get out of it in terms of logs. However I’m experiencing some issues with logs not being read and/or parsed by Graylog. I know that data is definitely being sent to my Graylog server on port 5414:

$# tcpdump -i eth0 port 5414 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:47:53.857663 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 589
08:47:53.858942 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 855
08:47:53.859766 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 662
08:47:53.860994 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 679
08:47:53.862091 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 1388
08:47:53.863893 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 1389
08:47:55.884001 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 588
08:47:55.885032 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 589
08:47:55.885822 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 591
08:47:55.886911 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 694
08:47:57.912318 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 599
08:47:57.913878 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 1387
08:47:57.914666 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 591
08:47:57.916051 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 1044
08:47:57.916738 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 693
08:47:57.917964 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 588
08:47:57.918824 IP 172.10.1.10.50062 > 172.12.0.25.5414: UDP, length 590
^C
17 packets captured
17 packets received by filter
0 packets dropped by kernel

However, my Graylog does not seem to want to parse or pick up the data which is arriving:

Does anyone have any suggestions where I should be looking?
Thanks,
Frank


(Jan Doberstein) #2
  • did you send GELF messages over the wire?
  • did you checked the graylog server.log?

#3

Hi Jan,

Yes, GELF UDP is configured in Nxlog through the use of the xm_gelf module.
By checking the server.log I found this:

$# vi server.log

2018-08-08T12:23:59.247+02:00 WARN [SyslogCodec] Syslog message is missing date or date could not be parsed. (Possibly set allow_override_date to true) Not further handling. Message was: <…>

I will attempt to get date overwriting working - I will post back with my results :slight_smile: