Input fail to start

Graylog Central (peer support)
, ,
1

Hello team!

I am having some trouble to start 2 inputs on the graylog interface. The error message says “Address already in use. This means that you are unable to receive any messages from this input”.

Here is the inputs configuration:

image
image466×765 22.3 KB

image

So the working input is on port 5503 and the 2 not working inputs are on port 5501 and 5502.
Here is what i get with netstat -peanut command:

netstat -peanut | grep “5502”

image
image993×181 11.5 KB

netstat -peanut | grep “5501”

image
image980×95 4.84 KB

netstat -peanut | grep “5503”

image
image926×90 3.83 KB

So i read previous post with the same error message, my understanding is that this happens when there’s another process already using the network socket (IP address and port). The ports are different but we can see that the same foreign adress is use. How can i correct this mistake? I dont see how i can change this from graylog server, this has to be corrected on the sending side of the logs right?

Also we can see that for the working port (5503) we have “LISTEN”. And for the not working port (5502, 5501) we have “ESTABLISHED”.
How can i correct this?

Sorry if it is not clear enought. Let me know if you need more information to understand the probleme.
Thanks

2

hi Aymeric

1- close firewall OS or stop antivirus.
2- use command ==> tcpdump host < IP > and port 550*
3- input for filebeat is wrong must be input beat.

3

Hello @bahram :slight_smile:
Thank you very much for the answer.

So by chaging the inputs type in Syslog TCP and GELF TCP instead of Syslog UDP and GLEF UDP i manage to get the inputs running. So they are both running now that’s good, when doing a netstat peanut | grep ":5501" and netstat peanut | grep ":5502" i have a “LISTEN” for both.

The probleme is that i still dont have any messages, and when i do a tcp dump their is no traffic. Im looking in the firewall configuration as you adviced but i dont see anythign wrong, the ports mentionned are opened both on TCP and UDP.
I checked also on the Nxlog config file on the servers supposed to send the logs and the ports numbers are good.

4

hi
I guess it’s a routing problem، So zero-address 0.0. 0.0 change to < IP Graylog Server >
please share config NXLOG and Explain exactly what you want to do .

5

sorry, I’m too lazy to read all… BUT

Maybe you forgot to check your graylog’s logs. It has to full with port in use, or something simmilar messages.

Check your pictures…
5003 - nginx on TCP, java, on UDP, so it’s NOT the same protocoll+port.
5001,5002 - nginx is on udp, and you wonder the graylog can’t listen on the same UDP port???

I suggest to config the GL to lo address, and nginx for your ip.

But I can’t understand why you want to use nginx. In your case the simplest solution is the best.

6

nginx won’t forward between protocols (udp-> tcp)

7

Hello @macko003 and @bahram
Thank you very much for your concern and your answers. It really helps me a lot.
It seems like you guys need more information to understand my configuration so i am going to give all the config file that seems relevant to me:

/etc/graylog/server/server.conf
/etc/nginx sites-available/graylog
/etc/nginx/nginx.conf

To answer the question of macko003 i use nginx as proxy for the web interface.
Basicaly, i have 2 Graylog server (1 master: 172.X.X.31, 1 slave: 172.X.X.32), i installed nginx in command line on the master graylog server for the web interface. And there are some servers on the other side sending logs to 172.X.X.31 on port 5501 and 5502 with Nxlog. The goal would be to receive thoses logs on the web interface.

/etc/graylog/server/server.conf:

# Enable the embedded Graylog web interface.
# Default: true
web_enable = true
http_bind_address = 0.0.0.0:9000
http_publish_uri = http://172.X.X.31:9000/
http_external_uri = http://172.X.X.31:9000/

# Web interface listen URI.

/etc/nginx sites-available/graylog :

upstream interface-web{
        server SvrSIEM-01.NAME.COM;
        server SvrSIEM-02.NAME.COM;
}


server {
        listen 80;
        server_name domainname.com;
        access_log /var/log/nginx/access-srvsiem-01.log;
        error_log /var/log/nginx/error-svrsiem-01.log;

        location / {
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Graylog-Server-URL http://domainname.com/api;
                proxy_pass http://172.X.X.31:9000;

        }

server {

        listen 443 ssl;

        server_name  domainname.com;

        access_log /var/log/nginx/access-svrsiem-01.log;
        error_log /var/log/nginx/error-svrsiem-01.log;

        ssl on;
        ssl_certificate /etc/ssl/certs/STAR_NAME_com.pem;
        ssl_certificate_key /etc/ssl/private/STAR_NAME_com.key;

        include /etc/nginx/ssl.conf;

        location / {
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Graylog-Server-URL https://domainname.com/api;
                proxy_pass https://172.X.X:9000;
                }
        }

/etc/nginx/nginx.conf:

user www-data;
worker_processes auto;
worker_rlimit_nofile 10240;
pid /run/nginx.pid;

events {
        worker_connections 10240;
        # multi_accept on;
}

http {

        upstream elasticsearch {
                server 172.X.X.41:9200;
                server 172.X.X.42:9200;
             
        }


        ##
        # Basic Settings
        ##
 sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
 ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
 ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

stream {

        upstream interface-tcp-5501 {
                server svrpprd-syslog1.name.com:5501;
                server svrpprd-syslog2.name.com:5501;
                server svrpprd-syslog3.name.com:5501;
        }

        server {

                listen 5501 tcp;

                proxy_timeout 10s;
                proxy_pass interface-tcp-5501;

        }

        upstream interface-tcp-5502 {
                server svrpprd-syslog1.name.com:5502;
                server svrpprd-syslog2.name.com:5502;
                server svrpprd-syslog3.name.com:5502;
        }

        server {

                listen 5502 tcp;

                proxy_timeout 10s;
                proxy_pass interface-udp-5502;
        }

        upstream interface-tcp-5503 {
                server svrpprd-syslog1.name.com:5503;
                server svrpprd-syslog2.name.com:5503;
                server svrpprd-syslog3.name.com:5503;
        }

        server {

                listen 5503;

                proxy_timeout 10s;
                proxy_pass interface-tcp-5503;

        }
}

And here are my inputs agan:

image
image725×715 23.4 KB

image
image508×606 18.4 KB

I dont have the Nxlog config file yet baharam sorry, i’ve asked for it, i may have it later. But i had the confirmation that the Nxlog services are running and sending to 172.X.X.31 on port 5502 or to 172.X.X.31 on port 5501.

The new netsat peanut | grep":5501" :

image
image1018×86 4.26 KB

Thanks a lot for your patience with a beginner like me and thanks for your help.

8

Hi Aymeric

https://docs.graylog.org/en/3.2/pages/configuration/web_interface.html

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.