Host no Longer Visible on Source Section


(Greg Smith) #1

Hello All,
Missing a host in “Source” Section, but is still receiving message through Syslog UDP Input.
Environment all in one server;
graylog-server-2.4.1-1
mongodb-org-server-3.2.18-1.el7.x86_64
elasticsearch-5.6.6-1
CentOS Linux release 7.4.1708 (Core)
I converted all my Windows/Linux Syslog UDP Input/s to GELF_TCP using TLS. All Windows/Linux host are using the latest NXLOG. As shown below is the Windows Input configuration;

Localhost (Graylog-Server) Input is configure as shown below;

My Security Device (firewall) Input is configure as follow;

My security device name is no long visible in the source section.
My Input for the security device, all the messages coming through in real time,
Example shown below;


This happened when I change my Input configuration for my localhost(Graylog-Server). Should I not use Gelf_TCP on localhost? If anyone has a suggestion I would really appreciate it.
Thank in advance


(Jan Doberstein) #2

could you please rewrite your question using other words?

I did not got your problem and in addition to help we would need to know how (configuration?) you send messages and what the expected solution should be.


(Greg Smith) #3

@jan
Sorry I was not clear on my question.
I converted all my nodes Input/s from UDP to TCP/TLS

My firewall/s is still sending messages to Graylog using Syslog_UDP input.
Configured with Port 51430, Global, Bind Address 0.0.0.0.

Localhost (Graylog Server) was using Syslog UDP Input, Port 5141.
I created a new Input for my Localhost GELF_TCP/TLS, Port 12220
When I did this my security device (firewall) name is no longer visible on the Web Interface under Sources, but I’m still receive message from Firewall through the input Syslog_UDP. Log’s do not show any problems occurring.
Should I not use Gelf_TCP/TSL Input on localhost (GrayLog Server)? Or do I need to convert my Firewall Input to TCP, if so I need to make a change control for that to happen.


(Greg Smith) #4

I just solved my issue.

When I was looking at the logs sent from my Fortinet Device the time stamp was 7 hours behind the current time.
Digging through the Fortigate 5.6 manual i noticed that instead of using Syslog UDP input I should use Raw/Plaintext UDP or TCP.

I identified my solution from here:

When completing my new input, my Firewall name showed up on the Web interface under Sources.
Sorry I should have waited to post.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.