Host no Longer Visible on Source Section

Graylog Central (peer support)
1

Hello All,
Missing a host in “Source” Section, but is still receiving message through Syslog UDP Input.
Environment all in one server;
graylog-server-2.4.1-1
mongodb-org-server-3.2.18-1.el7.x86_64
elasticsearch-5.6.6-1
CentOS Linux release 7.4.1708 (Core)
I converted all my Windows/Linux Syslog UDP Input/s to GELF_TCP using TLS. All Windows/Linux host are using the latest NXLOG. As shown below is the Windows Input configuration;
Windows-system-input

Localhost (Graylog-Server) Input is configure as shown below;
localhost-input

My Security Device (firewall) Input is configure as follow;

firewall-device
firewall-device.png579×878 34 KB

My security device name is no long visible in the source section.
My Input for the security device, all the messages coming through in real time,
Example shown below;

device%20show%20input
device show input.png1045×175 13.6 KB

This happened when I change my Input configuration for my localhost(Graylog-Server). Should I not use Gelf_TCP on localhost? If anyone has a suggestion I would really appreciate it.
Thank in advance

2

could you please rewrite your question using other words?

I did not got your problem and in addition to help we would need to know how (configuration?) you send messages and what the expected solution should be.

3

@jan
Sorry I was not clear on my question.
I converted all my nodes Input/s from UDP to TCP/TLS

My firewall/s is still sending messages to Graylog using Syslog_UDP input.
Configured with Port 51430, Global, Bind Address 0.0.0.0.

Localhost (Graylog Server) was using Syslog UDP Input, Port 5141.
I created a new Input for my Localhost GELF_TCP/TLS, Port 12220
When I did this my security device (firewall) name is no longer visible on the Web Interface under Sources, but I’m still receive message from Firewall through the input Syslog_UDP. Log’s do not show any problems occurring.
Should I not use Gelf_TCP/TSL Input on localhost (GrayLog Server)? Or do I need to convert my Firewall Input to TCP, if so I need to make a change control for that to happen.

4

I just solved my issue.

When I was looking at the logs sent from my Fortinet Device the time stamp was 7 hours behind the current time.
Digging through the Fortigate 5.6 manual i noticed that instead of using Syslog UDP input I should use Raw/Plaintext UDP or TCP.

I identified my solution from here:

When completing my new input, my Firewall name showed up on the Web interface under Sources.
Sorry I should have waited to post.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.