Hello && Welcome
Correct me if I’m wrong, but there are a couple ways to find out if logs were sent to Graylog using TCP. Since TCP is a three -way handshake you can do the following.
- Use Wireshark or something similar
- Depending on how you shipped the logs you can check the logs files on your remote device, for an example Nxlog you can see in the log file if the connection was returned or no connect at all.
- Use tcpdump
Example of tcpdump.
graylog.domain.com.9922 > gsmith.domain.com.57372: Flags [P.], cksum 0x2463 (incorrect -> 0x60d7), seq 2418992:2419552, ack 1441, win 2413, length 560
18:31:05.295073 IP (tos 0x10, ttl 64, id 46944, offset 0, flags [DF], proto TCP (6), length 600)
This example of Nxlog log file using GELF TCP/TLS.
2021-09-21 17:55:18 INFO connecting to graylog.domain.com:5140
2021-09-21 17:55:18 INFO nxlog-ce-2.10.2102 started
2021-09-21 17:55:19 INFO successfully connected to graylog.domain.com:5140
If Graylog is setup with a UDP Input and your remote device is configured for TCP. Then the Remote device should drop the connection since Graylog will not send a ACK packet. This is vice versa with Graylog.
Also to help you get a better response in the community have a look at this Post.
hope that helps