I am new to graylog, we have configured client with below entry in configuration file
*.* @1*.**.88.**:514;RSYSLOG_SyslogProtocol23Format (we are using 514 port)
even we tried to to send some logs to graylog server with
echo -n -e '{ "version": "1.1", "host": "example.org", "short_message": "A short message", "level": 5, "_some_info": "foo" }'"\0" | nc -w 3 10.**.88.** 30001
tcpdump -vvv -i any port 514 |grep TCP
tcpdump -vvv -i any port 514|grep UDP
but in GUI we are not able to see any messages from that client, can you all please help us what we are missing since we don’t have any idea of graylog. our version is Graylog v3.3.8+ ( we have graylog, mongodb, elasticsearch as docker container)
@sameerk If you try to start an input on one of the privileged ports, it will only work for the “root” user. You can change your port above 1024 and also check if you have restarted the rsyslog service on the client which should run without any error (You can check the status of service).
@makarands,
we have 5 client 3 was able to send logs to 514 port but other 2 are not, we have verified everything from configuration looks ok,
can you help how we should troubleshoot I mean from client we can send few logs and check on graylog server if we are able to receive in backend.
Thanks for help.
I had something similar. 4 clients configured. 2 worked great and the other 2 not at all or in complete messages. The 2 having problems didn’t use the Syslog RFCs that Graylog supports. I setup a second Input as Raw and started getting messages.
Also, I am surprised you were getting logs at all if you’re sending to port 514. As mentioned, Graylog won’t start a port lower than 1024 by default. We had to configure a port forward in the OS firewall from 514 to 5140 to get clients that only supported 514.