Hi Team,
Was trying to setup Graylog Ubuntu 20.04 VM on my server. Was following this guide to setup, however encounter the below errors when checking on the logs.
I think it’s better to use official howto, because your posted howto is for older graylog version 3.3, latest is 4.0 which has new features and also requirements.
@shoothub, thanks will try on the guide provided.
Hello,
Did you copy & paste it into the command prompt? If so try typing it out see if that works.
You have a firewall enabled?
I am able to login now. but the input fail to collect logs.
Regards,
fengcheng
Did you check your log files? It might give a clue on why its failing.
Maybe try something like this, see if that works.
@gsmith yes it is able to run using the bind address. Then how should the graylog server able to recognise the server IP if it is using 0.0.0.0?
Need to trigger anything to see the logs?
Regards,
Fengcheng
Hi @fengcheng
-
Bind address is addres for graylog input which will listen to. Address 0.0.0.0 mean all addresses, so it will listen on all network interfaces that graylog box have. So change bing address to 0.0.0.0 from your defined address.
-
Check if you didn’t create more than one inputs that listen in same port. You can only create one input which listen in specific port otherwhise it will fail to start, because port is already binded by another input with same port.
Hi @gsmith,
Noted on point 1, as for point 2, I only created 1 input so far. Not sure why there is no logs messages showing.
Regards,
Fengcheng
@fengcheng
Hello
If not try looking at your client sending messages.
@gsmith how do I go about in checking?
Regards,
Fengcheng
Hello,
This may enlighten you.
https://www.cyberciti.biz/faq/how-to-configure-firewall-with-ufw-on-ubuntu-20-04-lts/
Depending on what devices you have sending logs to your Graylog server may want to check them also.
How are you sending log’s to Graylog (i.e. NXLog,Rsyslog,GL Sidecar, etc…) ?
Normally the log shippers I mentioned above have there own log file that could be helpfull in troubleshooting.
Things to check:
- Make sure timestamp is correct on both Graylog Sever and Client.
- Check firewalls, Iptables, etc… or anything that may interfere between Graylog Server and your client.
Hope that helps
Hi Gsmith,
Done setting up firewall. Able to ping through fine.Do i need to setup something on my windows server client side??Didn;t graylog server will pick up by itself? If not i will go for simple syslog info includes event viewer logs if possible?
Regards,
Fengcheng
AFAIK Windows doesn’t natively send syslog. If you need something to ship event viewer logs, you’ll need something like Winlogbeat or NXlog. Both of those will ship via the lumberjack protocol (i.e., Beats). I’ll note that Graylog, on its own, collects nothing. There must always be an external application (e.g., syslog, some sort of beats agent, nxlog, etc.) shipping logs to Graylog for those logs to show up in Graylog.
1 Like
Hi aaronsachs,
Noted, will give winlogbeat, Winlogbeat quick start: installation and configuration | Winlogbeat Reference [7.12] | Elastic a try on one of my server.
Regards,
Fengchneg
Should I install the winlogbeat to graylog server itself or another server?
Stuck at this part,
Regards,
Fengcheng
Hello,
Sorry for long delay, Ive been working.
The winlogbeat should be installed on the remote server, then point it to your Graylog server. Use the port from the INPUT you made on Graylog to configure winlogbeat.
Example
Remote-server —> Graylog Server INPUT (i.e. Syslog UDP, Port 1514)
Maybe this might help.
https://docs.graylog.org/en/4.0/pages/sending/windows.html#ingest-windows-eventlog
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.