Input - no active connection

Cruciani_Elliot · October 27, 2020, 3:45pm

Hello everyone
I’d just like to start seeing the logs from the graylog server itself. However I tried to change the syslog configuration there is no “connection enabled” on my input
So I let the default config of rsyslog.conf
thank you in advance

Ponet · October 27, 2020, 4:11pm

Cruciani_Elliot · October 27, 2020, 4:17pm

@Ponet
I arleady search on google and on the forum, but I didn’t find the solution.
Here’s I have all my service (graylog, elasticsearch, mongo, rsyslog) that work noramlly, and I did the firewall rules, tcp and udp modules are uncomment in rsyslog.conf
I didn’t see the same thing other hand in google or here

Cruciani_Elliot · October 28, 2020, 9:58am

In the graylog-server/server.log I found this:

But I don’t now if there is a link with my problem

shoothub · October 28, 2020, 10:36am

NO it’s not a problem, it’s general info that you should see in all graylog instances.
How did you configure rsyslog? please post

Cruciani_Elliot · October 28, 2020, 10:48am

Hi @shoothub,
Here’s the configuration of rsyslog.conf:

The last ip is the one of the local server (graylog and syslog)

shoothub · October 28, 2020, 10:53am

Why you try to send syslog messages to port 514, where rsyslog is listening? It doesn’t make sense.

Try to use recommended steps:

Create Syslog Input with port higher than 1024 e.g. 1514, TCP or UDP
If you created UDP Syslog Input replace last line with:

*.* @10.15.20.138:1514;RSYSLOG_SyslogProtocol23Format

If you created TCP Syslog Input replace last line with:

*.* @@10.15.20.138:1514;RSYSLOG_SyslogProtocol23Format

Done.

Cruciani_Elliot · October 28, 2020, 11:02am

Thank you @shoothub
I try to send syslog messages to port 514 and not to port 1514 becayse rsyslog show mistake when I configure rsyslog to port 1514:

That’s why I send to port 514, so I created a firwall rule to translate:

And even when I do what you tell me to do just before, there’s stille no active connection in graylog

shoothub · October 28, 2020, 11:09am

I don’t have good experience with port 514 translation, I would recommend to use ports higher than 1024, because graylog runs a normal user, and couldn’t listen lower port than 1024.

You mixed 2 things. You’ve setup rsyslog to listen on port 514 and and to send to it? If you want to only forward local logs to graylog using rsyslog, comment lines in rsyslog to listen on port 514, create Input with listening port higher and 1024 and forward with rsyslog line that i have provided.

Cruciani_Elliot · October 28, 2020, 1:52pm

That’s what I did in my first try. Everything was supposed to be in 1514 port. I tried to do what you did, and comment all the line with 514. There’s still only this line:

But there’s still the same problem, no active connections and all the errors messages with
systemctl status rsyslog

shoothub · October 28, 2020, 2:00pm

If you use Selinux, try to disable it (set to Permissive), restart rsyslog. Maybe Selinux is blocking connection.

Cruciani_Elliot · October 28, 2020, 4:05pm

It’s good, I have an active connexion, no log for now, but that’s an other thing.

Thanks a lot!

system · November 11, 2020, 4:05pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Send data with rsyslog Graylog Central (peer support)	7	3942	September 3, 2019
Graylog inputs do not seem to be working Graylog Central (peer support)	5	2670	September 7, 2018
No message sources found Graylog Central (peer support)	6	1655	April 5, 2017
Seeing Active Connections : 1 (but no data) Graylog Central (peer support)	4	1186	May 21, 2019
Can't send rsyslog Graylog Central (peer support)	14	2665	September 9, 2017

Input - no active connection

Related Topics