Input is always failed!

mbahaa · 2017-11-20 17:19:06 UTC

please help me in solving my issue as i can’t get the input running at all! it always fails on graylog

server receives logs from routers smoothly (using syslog-ng), but when i try to add an input for the first time on the graylog web interface it alwasy fails!!!

[root@Syslog_Trial ~]# tcpdump -i ens160 -n | grep 10.10.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
21:05:18.475471 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 74
21:05:18.475658 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 80
21:05:18.475926 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 114
21:05:18.476223 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 65
21:05:18.476562 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 74
21:05:18.476797 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 80
21:05:18.477045 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 116
21:05:21.635384 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 75
21:05:21.635643 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 80
21:05:21.635850 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 117
21:05:21.636237 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 74
21:05:21.636762 IP 10.10.20.2.63195 > 10.39.224.10.syslog: SYSLOG local3.debug, length: 80

please help me

jochen · 2017-11-20 17:44:55 UTC

How did you install Graylog?
What’s the configuration of the Syslog inputs in Graylog?
Have you taken the necessary steps to allow a non-privileged process (Graylog) to bind to privileged ports (anything <1024), e. g. provided the necessary Linux capabilities to the java binary or configured authbind?

mbahaa · 2017-11-20 18:22:34 UTC

firstly, many thanks for care & concern.

i’m very new to graylog & shall try to answer your questions as much as i could.

i installed Centos 7.x minimal
[root@Syslog_Trial ~]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)

–> then installed graylog (conf url below), elasticsearch, mongodb

https://pastebin.com/jGFwnKqu

[root@Syslog_Trial ~]# systemctl status syslog-ng.service
â— syslog-ng.service - System Logger Daemon
Loaded: loaded (/usr/lib/systemd/system/syslog-ng.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2017-11-20 20:50:16 EET; 1h 13min ago
Docs: man:syslog-ng(8)
Main PID: 12995 (syslog-ng)
CGroup: /system.slice/syslog-ng.service
â””â”€12995 /usr/sbin/syslog-ng -F -p /var/run/syslogd.pid

Nov 20 20:50:16 Syslog_Trial systemd[1]: Starting System Logger Daemon…
Nov 20 20:50:16 Syslog_Trial systemd[1]: Started System Logger Daemon.

[root@Syslog_Trial ~]# /usr/bin/java -version
openjdk version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)

[root@Syslog_Trial ~]# systemctl status -l elasticsearch.service
â— elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2017-11-15 14:20:49 EET; 5 days ago
Docs: http://www.elastic.co
Main PID: 2551 (java)
CGroup: /system.slice/elasticsearch.service
â””â”€2551 /bin/java -Xms2g -Xmx2g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -server -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -Djdk.io.permissionsUseCanonicalPath=true -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Dlog4j.skipJansi=true -XX:+HeapDumpOnOutOfMemoryError -Des.path.home=/usr/share/elasticsearch -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/elasticsearch.pid --quiet -Edefault.path.logs=/var/log/elasticsearch -Edefault.path.data=/var/lib/elasticsearch -Edefault.path.conf=/etc/elasticsearch

Nov 15 14:20:49 Syslog_Trial systemd[1]: Starting Elasticsearch…
Nov 15 14:20:49 Syslog_Trial systemd[1]: Started Elasticsearch.

[root@Syslog_Trial ~]# mongod -version
db version v3.2.17
git version: 186656d79574f7dfe0831a7e7821292ab380f667
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
allocator: tcmalloc
modules: none
build environment:
distmod: rhel70
distarch: x86_64
target_arch: x86_64
[root@Syslog_Trial ~]# systemctl status -l mongod.service
â— mongod.service - SYSV: Mongo is a scalable, document-oriented database.
Loaded: loaded (/etc/rc.d/init.d/mongod; bad; vendor preset: disabled)
Active: active (running) since Wed 2017-11-15 13:20:53 EET; 5 days ago
Docs: man:systemd-sysv-generator(8)
CGroup: /system.slice/mongod.service
â””â”€1442 /usr/bin/mongod -f /etc/mongod.conf

Nov 15 13:20:48 Syslog_Trial systemd[1]: Starting SYSV: Mongo is a scalable, document-oriented database…
Nov 15 13:20:48 Syslog_Trial runuser[1148]: pam_unix(runuser:session): session opened for user mongod by (uid=0)
Nov 15 13:20:53 Syslog_Trial mongod[1098]: Starting mongod: [ OK ]
Nov 15 13:20:53 Syslog_Trial systemd[1]: Started SYSV: Mongo is a scalable, document-oriented database…

jochen · 2017-11-20 18:51:02 UTC

As mentioned before, privileged ports (everything <1024) may only be used by the superuser of the system, i. e. “root”.

Try using a port >1024 for the syslog input, e. g. port 5514, and point the syslog clients there.

If that’s working and you absolutely need to use port 514 for some reason, you could use iptables to redirect traffic from port 514 to port 5514 (Graylog).

Also take a look at the syslog configuration guide:

mbahaa · 2017-11-20 19:21:19 UTC

i do appreciate your patience & valuable support

i’ve added the below to /etc/syslog-ng/syslog-ng.conf

Define TCP syslog destination.

destination d_net {
syslog(“10.39.224.10” port(1514));
};

Tell syslog-ng to send data from source s_src to the newly defined syslog destination.

log {
source(s_sys); # Defined in the default syslog-ng configuration.
destination(d_net);
};

also i deleted all input and add 2 new syslog inputs (1 for TCP & another for UDP) on port 1514 but still no receiving updates

can you advise please ?

mbahaa · 2017-11-20 20:06:05 UTC

Thanks alot jochen for your shown cooperative spirit the messages started to be received after add the below command

iptables -t nat -A PREROUTING -i ens160 -p udp --dport 514 -j REDIRECT --to-port 1514

system · 2017-12-04 20:06:06 UTC

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.