Graylog not showing logs or messages from client

Hell There,

I am new to graylog, we have configured client with below entry in configuration file

*.* @1*.**.88.**:514;RSYSLOG_SyslogProtocol23Format (we are using 514 port)

even we tried to to send some logs to graylog server with

echo -n -e '{ "version": "1.1", "host": "example.org", "short_message": "A short message", "level": 5, "_some_info": "foo" }'"\0" | nc -w 3 10.**.88.** 30001

tcpdump -vvv -i any port 514 |grep TCP
tcpdump -vvv -i any port 514|grep UDP

but in GUI we are not able to see any messages from that client, can you all please help us what we are missing since we don’t have any idea of graylog. our version is Graylog v3.3.8+ ( we have graylog, mongodb, elasticsearch as docker container)

Regards,

@sameerk If you try to start an input on one of the privileged ports, it will only work for the “root” user. You can change your port above 1024 and also check if you have restarted the rsyslog service on the client which should run without any error (You can check the status of service).

I hope this helps you!

@makarands,
we have 5 client 3 was able to send logs to 514 port but other 2 are not, we have verified everything from configuration looks ok,
can you help how we should troubleshoot I mean from client we can send few logs and check on graylog server if we are able to receive in backend.
Thanks for help.

I had something similar. 4 clients configured. 2 worked great and the other 2 not at all or in complete messages. The 2 having problems didn’t use the Syslog RFCs that Graylog supports. I setup a second Input as Raw and started getting messages.

Also, I am surprised you were getting logs at all if you’re sending to port 514. As mentioned, Graylog won’t start a port lower than 1024 by default. We had to configure a port forward in the OS firewall from 514 to 5140 to get clients that only supported 514.

I setup a second Input as Raw and started getting messages. – what to select TCP or UDP , I am new to graylog can you guide me.

Good morning, I can’t remember where I saw it; but this is from Graylog documentation:

“UDP is also supported and the recommended way to send log messages in most architectures.”

If possible I always try to use UDP. BUT I setup each. Both can be active on the same IP/Port.

Some of my devices will only support TCP.

Thank you, Zach.

It depends, how you send syslog from clients.

This means UDP and this is used in most cases for syslog. If you want to use TCP, specify double @ instead of single.