The question is how can graylog tell the difference between different input types on the same port and then as a result being able to parse them properly based on received message type?
I mean lets say i have two input type on port the 5555, 1.RAW/TCP 2.RAW/UDP in this case it make sense that graylog have no problem with parsing cause both messages are the same type,RAW, only on different network protocol BUT, how can it decides how to parse in cases like 1.RAW/TCP 2.SYSLOG/TCP?
The next question then is, are all message input types compatible with each other, i mean can i have something like , input_type_1, … ,input_type_n on lets say port 5555?
and what if graylog fails to parse the input, is there a fallback option?
For testing I created raw/tcp on the same port as existing syslog/tcp. Messages disappeared on syslog and appeared on raw. If I disabled raw input, messages appeared on syslog. And vice versa.
It is kind of confusing. Lets say i have a Beat Input type on port 6060 then when i run command echo some message | nc -u 192.168.138.140 6060 i get connection refused, which make sense and probably means beats only expect TCP but when i try sending the same message using TCP with command echo some message | nc 192.168.138.140 6060 this time there is no connection refuse but also the message does not show up in the input, which i think is an indication of upper layer3 awareness!!!?
also another thing is that it seems you can have set up like 1.PaloAlto 2.RawUDP on the same port but not 1.PaloAlto 2.RawTDP , in the later case it throw an Error.
Input is listening on configured port and protocol combination. Input type isn’t relevant in decision to receive data or skip. Input type can determine some preprocessing steps, which occurs after data are received on set port/protocol.
If you assign multiple inputs to the same port/protocol combination, Graylog will receive data only on one input from these. Which one, who knows.
Short answer to topic question - it doesn’t.
