Graylog server missing logs from some sources

Hi all.
We use Graylog 4.3.9. All works fine, configurated 6 differents inputs for every type of devices/logs.
Today i create new input syslog/udp on port 5539 for HPE iLO syslogs, add new indices, new stream. Syslog starts goings from local network.
From other networks i can’t see logs. On router i can dump input traffic with syslog messages.
If i change syslog/udp to raw/udp, syslog from other network starts to showing in graylog.
How i can debug errors/reasons, why logs don’t work on syslog/udp input from other network.
Graylog 4.3.9 setups on Oracle linux 8.

I assume there is a firewall inbetween blocking your traffic?
The first thing I do when missing logs is a tcpdump on the Graylog-machine filtering for my supposed source. If nothing appears it’s not a problem in Graylog.

“If i change syslog/udp to raw/udp, syslog from other network starts to showing in graylog.”

If Syslog works for your local network logs, but not for the other networks, you have some kind of formatting error in your logs from the other networks. They are not following either of the sysloog RFCs, and are, therefore, being rejected by the Syslog input/parser.

Turn on the “store full message” field for the correctly parsed logs, then compare that to the logs coming in on the raw input. You should see the differences between the two.

It could be that the source devices are misconfigured, or it could be that a proxy or other gateway device is somehow changing these messages as they pass through.

My bad.
All sources in others subnet were with wrong TZ :man_facepalming:
Mismatch in profile. After corrected TZ all started work as expected.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.