Ip address in graylog-server.log

Graylog Central (peer support)
, , , , , ,
1

Hello,

I’ve messages like the following in my graylog.log:

2021-07-26T15:54:09.361+02:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=Syslog UDP, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=b8865e93-c3fb-4033-b66a-c8afaeexxxcb} (channel [id: 0x88b37d6b, L:/0:0:0:0:0:0:0:0%0:1514]) should be 425985 but is 425984.
2021-07-26T15:54:09.363+02:00 WARN  [UdpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogUDPInput{title=Syslog UDP, type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=b8865e93-c3fb-4033-b66a-c8afaeexxxcb} (channel [id: 0x12efd89a, L:/0:0:0:0:0:0:0:0%0:1514]) should be 425985 but is 425984.
2021-07-26T15:54:18.524+02:00 ERROR [CsvConverter] Different number of columns in CSV data (5) and configured field names (6). Discarding input.
2021-07-26T15:54:18.524+02:00 ERROR [CsvConverter] Different number of columns in CSV data (5) and configured field names (6). Discarding input.

So but I don’t know where I can’t find from which IP graylog getting these.
Is it possible to enable it somehow? It would be really usefull…

2

Hello && Welcome

I think this post might give you an idea of what to do.

This is only a suggestion
If the above post doesnt work for you then on your OS you could inspect maximum socket buffer size for SO_RCVBUF (receive, rmem_max) and SO_SNDBUF (send, wmem_max).

[root@graylog-server~] sysctl --all --pattern "net.core.[rw]mem_max"

net.core.rmem_max = 212992
net.core.wmem_max = 212992

Update maximum socket receive buffer size.

[root@graylog-server~] sudo sysctl --write net.core.rmem_max=425985
net.core.rmem_max = 425985

Restart graylog-server service.

[root@graylog-server~] systemctl restart graylog-server

NOTE: If it doesnt work you can reset it back.

As for…

I’m not sure, maybe someone else might know here.

Hope that helps

3

Hi and thanks for your answer!

But my problem is more that I don’t know which server/device produce that error, also it is anoying that graylog discard the input/message

4

Do you have an extractor on your inputs? If so could we see those configurations?

EDIT: Couple question I need to ask you.
What version of Graylog are you using?
What device/s are sending logs (Wnodws , Linux, Switches, etc…) to Graylog and how are you shipping logs (i.e. nxlog, winlogbeat, etc…) to Graylog from these devices?

I think its some type of configuration on you input and if not, it might be the way your log shippers configuration. Not sure until I see the whole picture.

5

What version of Graylog are you using?

Graylog 3.0.2 (I know its old, and we will upgrade soon)

What device/s are sending logs (Wnodws , Linux, Switches, etc…) to Graylog

all of this :wink: but we try it in seperate streams

how are you shipping logs (i.e. nxlog, winlogbeat, etc…) to Graylog from these devices?

It depends, on Linux/Windows we use filebeat/journalbeat…

At the moment we use csv thing only for firewall(opnsense) and apache, and I guess it’s from the apache, here is the extraxtor for apache:

{
  "extractors": [
    {
      "title": "Apache Access Data",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "csv",
          "config": {
            "separator": "|",
            "column_header": "apache_servername|apache_port|apache_remote_hostname|apache_remnote_logname|apache_remote_user|apache_time|apache_first_line_of_request|apache_status|apache_bytes_send|apache_header_line_request|apache_user-agent",
            "trim_leading_whitespace": true
          }
        }
      ],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "apache_raw_data",
      "extractor_config": {
        "regex_value": "(.*)"
      },
      "condition_type": "regex",
      "condition_value": "!ErrOR.*http|HTTP.*"
    },
    {
      "title": "Apache Error Data",
      "extractor_type": "regex",
      "converters": [
        {
          "type": "csv",
          "config": {
            "column_header": "apache_error_time|apache_error_loglevel|apache_error_process-ID|apache_error_sourcefile|apache_error_client-IP|apache_error_errormessage",
            "separator": "|",
            "trim_leading_whitespace": true
          }
        }
      ],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "apache_raw_error",
      "extractor_config": {
        "regex_value": "ErrOR(.*)"
      },
      "condition_type": "regex",
      "condition_value": "^ErrOR(.*)"
    }
  ],
  "version": "3.0.2"
}

But it would be still much easier to figure out whats wrong if I can see which server send logs and how looks the message, but graylog discards this instead of save it without extractor

(if you’ve better ideas to get/parse apache logs (access/error), you’re welcome :wink:

6

Hello,

I haven’t had much time on using CSV extractors but from what I’ve seen while researching is that the data coming in does not match your extractor but I’m not 100% sure. There are a couple ways of troubleshooting this that I know of. Check your Apache Log shipper log files to insure there are no issues. If you’re consistently getting these errors, try stopping one apache server log shipper to see if the errors stops do this until you find the culprit or culprits.

Another suggestion would be is to make an INPUT just for firewalls and a different INPUT for your apache servers at least you can narrow it down. I agree there not enough information, but you could set you logging on the Graylog server to debugging maybe you can get more information than “ERROR [CsvConverter] Different number of columns in CSV data (5) and configured field names (6). Discarding input.”.

image
image1203×512 35.2 KB

I think we both can agree that it’s the input created with the CSV extractor configured on it.
Sorry I cant give you a direct answer to solve your issue.

  1. What type of INPUT are you using for your firewalls and apache server?
  2. Have you tried a different inputs?
  3. Did you tested you CSV extractor from the logs on apache and/or firewalls?
7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.