GrayLog server not accepting data from fluentbit

vipinbhidwaria · January 31, 2023, 6:37am

GrayLog not accepting logs from fluentbit

OS Information:
CentOS 8
Package Version:
Graylog 4.3
Wazuh 4.3
Wazuh-indexer 7.10.3
fluentbit

graylog server log says the following:

2023-01-31T11:47:47.424+05:30 WARN  [RestClient] request [GET https://192.168.0.155:9200/_cluster/health?master_timeout=60s&level=cluster&timeout=60s&local=true] returned 1 warnings: [299 OpenSearch-1.2.4-e505b10357c03ae8d26d675172402f2f2144ef0f "this request accesses system indices: [.opendistro_security], but in a future major version, direct access to system indices will be prevented by default"]
2023-01-31T11:47:47.675+05:30 WARN  [DefaultFilterChain] GRIZZLY0013: Exception during FilterChain execution
java.lang.IllegalStateException: Unknown protocol to be aware of.","id":"81618","firedtimes":44105,"mail":false,"groups":["fortigate","syslog"],"gdpr":["IV_35.7.d"],"hipaa":["164.312.b"],"nist_800_53":["AU.6"],"pci_dss":["10.6.1"]},"agent":{"id":"000","name":"siem.localost"},"manager":{"name":"siem.localost"},"id":"1675145863.2418158377","full_log":"Jan 31 11:47:41 192.168.0.250 date=2023-01-31 time=11:52:08 devname=\"Backup\" devid=\"FGT3HD3ZZZZZZ\" eventtime=1675146129041849331 tz=\"+0530\" logid=\"0000000013\" type=\"traffic\" subtype=\"forward\" level=\"notice\" vd=\"root\" srcip=192.168.2.220 srcport=51042 srcintf=\"port1\" srcintfrole=\"lan\" dstip=4.1.82.148 dstport=443 dstintf=\"port3\" dstintfrole=\"wan\" srccountry=\"Reserved\" dstcountry=\"Singapore\" sessionid=891890 proto=6 action=\"client-rst\" policyid=33 policytype=\"policy\" poluuid=\"ac5beb90-2e1f-51e6-7863-5490983997c0\" service=\"HTTPS\" trandisp=\"snat\" transip=X.X.X.X transport=51042 appcat=\"unknown\" applist=\"restricted_Msupdate\" duration=298 sentbyte=2084 rcvdbyte=1225 sentpkt=25 rcvdpkt=18 sentdelta=432 rcvddelta=351 srchwvendor=\"Cisco\" devtype=\"Network\" srcfamily=\"Router\" osname=\"Windows\" mastersrcmac=\"00:08:e3:ff:fc:04\" srcmac=\"00:08:e3:ff:fc:04\" srcserver=0","predecoder":{"timestamp":"Jan 31 11:47:41","hostname":"192.168.0.250"},"decoder":{"name":"fortigate-firewall-v5"},"data":{"action":"client-rst","srcip":"192.168.2.220","srcport":"51042","dstip":"4.1.82.148","dstport":"443","appcat":"unknown","applist":"restricted_Msupdate","devid":"FGT3HD391ZZZZZ","devname":"Backup","dstcountry":"Singapore","dstintf":"port3","dstintfrole":"wan","duration":"298","eventtime":"1675146129041849331","level":"notice","logid":"0000000013","policyid":"33","poluuid":"ac5beb90-2e1f-51e6-7863-5490983997c0","proto":"6","rcvdbyte":"1225","sentbyte":"2084","sentpkt":"25","service":"HTTPS","sessionid":"891890","srccountry":"Reserved","srcintf":"port1","srcintfrole":"lan","subtype":"forward","time":"11:52:08","trandisp":"snat","transip":"1.7.142.206","transport":"51042","type":"traffic","vd":"root"},"location":"/var/log/messages"}
	at org.glassfish.grizzly.http.Protocol.valueOf(Protocol.java:87) ~[graylog.jar:?]
	at org.glassfish.grizzly.http.HttpHeader.getProtocol(HttpHeader.java:799) ~[graylog.jar:?]
	at org.glassfish.grizzly.http.HttpServerFilter.prepareResponse(HttpServerFilter.java:842) ~[graylog.jar:?]
	at org.glassfish.grizzly.http.HttpServerFilter.encodeHttpPacket(HttpServerFilter.java:809) ~[graylog.jar:?]
	at org.glassfish.grizzly.http.HttpServerFilter.commitAndCloseAsError(HttpServerFilter.java:1169) ~[graylog.jar:?]
	at org.glassfish.grizzly.http.HttpServerFilter.sendBadRequestResponse(HttpServerFilter.java:1161) ~[graylog.jar:?]
	at org.glassfish.grizzly.http.HttpServerFilter.onHttpHeaderError(HttpServerFilter.java:771) ~[graylog.jar:?]
	at org.glassfish.grizzly.http.HttpCodecFilter.handleRead(HttpCodecFilter.java:603) ~[graylog.jar:?]
	at org.glassfish.grizzly.http.HttpServerFilter.handleRead(HttpServerFilter.java:310) ~[graylog.jar:?]
	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:95) ~[graylog.jar:?]
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260) ~[graylog.jar:?]
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177) ~[graylog.jar:?]
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109) [graylog.jar:?]
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88) [graylog.jar:?]
	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53) [graylog.jar:?]
	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:515) [graylog.jar:?]
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89) [graylog.jar:?]
	at org.glassfish.grizzly.strategies.SameThreadIOStrategy.executeIoEvent(SameThreadIOStrategy.java:79) [graylog.jar:?]
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.executeIoEvent(AbstractIOStrategy.java:66) [graylog.jar:?]
	at org.glassfish.grizzly.nio.SelectorRunner.iterateKeyEvents(SelectorRunner.java:391) [graylog.jar:?]
	at org.glassfish.grizzly.nio.SelectorRunner.iterateKeys(SelectorRunner.java:360) [graylog.jar:?]
	at org.glassfish.grizzly.nio.SelectorRunner.doSelect(SelectorRunner.java:324) [graylog.jar:?]
	at org.glassfish.grizzly.nio.SelectorRunner.run(SelectorRunner.java:255) [graylog.jar:?]
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569) [graylog.jar:?]
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549) [graylog.jar:?]
	at java.lang.Thread.run(Thread.java:829) [?:?]

I am clueless . please help.

tmacgbay · January 31, 2023, 5:15pm

Looks like there is a discrepancy between the Fluentbit output and the Graylog Input. How do you have Fluentbit sending to Graylog? Via Syslog? Is it a Syslog input on Graylog? TCP or UDP?

gsmith · February 1, 2023, 6:01am

Hey @vipinbhidwaria

This is native to Opensearch security index.

"this request accesses system indices: [.opendistro_security]

With that Warning it seams you trying to create the security index.

vipinbhidwaria · February 1, 2023, 6:49am

What should I do now?

vipinbhidwaria · February 1, 2023, 7:16am

Syslog is sending to wazuh and wazuh is sending to graylog using fluent bit

tmacgbay · February 1, 2023, 2:21pm

Fluentbit can Output to/as Elasticsearch, Syslog, datadog, GELF,… how are you sending the message out to Graylog

Graylog can receive on it’s inputs: syslog (UDP and TCP), HTTP, GELF, RAW…

So…

what method are you using to send message out from Fluentbit?
what kind of Graylog Input are you using to receive the messages from Fluentbit

system · February 15, 2023, 2:22pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog <-Fluent-bit<-Wazuh: Graylog Central (peer support)	4	474	May 11, 2024
Logs not receiving on Graylog via Wazuh Manager (fluent-bit) Graylog Central (peer support)	7	1437	December 27, 2023
While retrieving data for this widget, the following error(s) occurred: Elasticsearch exception Graylog Central (peer support)	2	1993	February 13, 2023
Fluent-Bit log forwarding to Graylog Development	4	2616	July 6, 2023
Error Parsing Wazuh data Graylog Central (peer support)	4	145	August 3, 2024

GrayLog server not accepting data from fluentbit

Related topics