I have been using graylog for a while, it has been working for some devices, but recently i wanted to add an aditional device is a cisco olt but no messages are being showned:
Here is the TCPDUMP:
18:34:04.380479 IP A.A.A.A.syslog > gserver.mydomain.syslog: SYSLOG local0.info, length: 96
On Graylog server i see nothing but on tcpdump it says it is receiving something.
I have done a tcpdump for an working IP and i am showing this:
18:35:48.313074 IP B.B.B.B.50265 > gserver.mydomain.syslog: SYSLOG local7.warning, length: 158
If I add a linux server it works fine, but A.A.A.A is not working at all.
most likely either a timestamp issue or a input type issue, or both.
go to system | inputs | and click show received messages for the input you are having issues with. It will perform a search without a time frame, “All Messages”. If that returns something, take a look at the timestamp of the messages to see if the date/time is not being parsed correctly because Cisco is known for have non syslog standard syslog messages. If that is the case, you’ll probably need to change the input to RAWtext/UDP to see if that fixes it.
I have solved it thanks to you, i added a new input and with iptabless averything comming from non standard syslog i redirect it to the raw syslog udp all others to the standard udp input:
#For non Standard Inputs
iptables -t nat -A PREROUTING --source A.A.A.A -p udp --dport 514 -j REDIRECT --to 1515
iptables -t nat -A PREROUTING --source B.B.B.B -p udp --dport 514 -j REDIRECT --to 1515
…
#For Standard Syslog Inputs
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
