Graylog recive message but not save


(Paweł) #1

Hi, after installation graylog i try connect my other Debian station by rsyslog and:

On debian station, i add to “/etc/rsyslog.d/loghost.conf” to forward log to graylog

*.* @@xxx.xxx.xxx.xxx:5140

Restart rsyslog:

root@SMSServer:/etc/init.d# ./rsyslog restart
[ ok ] Restarting rsyslog (via systemctl): rsyslog.service.

Next i add in graylog “Syslog TCP” input, and set:
Node, Title, Bind address and Port.

Input is running, and when i try login by ssh the i recive data on this input “Network IO”:

But there is no message ;(


(Jochen) #2

Make sure that rsyslog is able to send TCP packets to your Graylog server and that the IP address and port is correct.

Additionally, please refer to https://github.com/Graylog2/graylog-guide-syslog-linux#rsyslog for instructions about how to configure rsyslog.


(Paweł) #3

I try :

UDP
*.* @xxx.xxx.xxx.xxx:5140
*.* @xxx.xxx.xxx.xxx:5140;RSYSLOG_SyslogProtocol23Format

TCP
*.* @@xxx.xxx.xxx.xxx:5140
*.* @@xxx.xxx.xxx.xxx:5140;RSYSLOG_SyslogProtocol23Format

But result is the same, recive data but no message ;(

RSyslogd Vesion

root@SMSServer:/home/pablik# rsyslogd -version
rsyslogd 8.4.2, compiled with:
        FEATURE_REGEXP:                         Yes
        GSSAPI Kerberos 5 support:              Yes
        FEATURE_DEBUG (debug build, slow code): No
        32bit Atomic operations supported:      Yes
        64bit Atomic operations supported:      Yes
        memory allocator:                       system default
        Runtime Instrumentation (slow code):    No
        uuid support:                           Yes
        Number of Bits in RainerScript integers: 64

(Jan Doberstein) #4

Hej Pawel,

it is not clear from your Image if the Syslog Input is running on Port 5140 …

additional you should check your Graylog server.log if you see any lines that might give you an idea what happens…


(Paweł) #5

UDP WORK !!!

*.* @xxx.xxx.xxx.xxx:5140;RSYSLOG_SyslogProtocol23Format

I dont know why TCP dont work