Issues with Syslog input


(Gregory West) #1

I have one input a syslog-UDP it is working great right now. Question is am I getting all syslog entries from the server(s) sending to Graylog, or am I getting only the UDP syslog messages from the server(s)? Meaning, does each server need both:

*.* @10.10.10.2:8514;RSYSLOG_SyslogProtocol23Format

and

*.* @@10.10.10.2:8514;RSYSLOG_SyslogProtocol23Format

in the rsyslog.conf file to get everything?


Do I really get all logs?
Do I really get all logs?
(Jochen) #2

You only need one of these lines in your rsyslog configuration. The first one for Syslog UDP, the second one for Syslog TCP.

Please refer to the Graylog Syslog guide for details:


(Gregory West) #3

So if I am understanding you correctly, to get all the syslog information from my Linux servers I only need one input on my Graylog server.

What are the pros/cons of using UDP over TCP for the input?


(Jochen) #4

TCP is connection-oriented (including handshake and possibly keep-alive packets) while UDP is connection-less.

UDP requires less resources (no connection-tracking etc.) but is prone to losing packets (i. e. log messages) if the network is unstable.
Additionally, using TLS for securing connections requires TCP and doesn’t work over UDP.

See these references for further information:


(Gregory West) #5

Thank you. That helps.
Just about to deploy to all my servers. I did read somewhere there was an issue with Windows Servers sending logs to Graylog, or am I mistaken? Do you have a URL for anything I have to watch out for?


(Jochen) #6

I obviously don’t know what you’ve read, but there are no general problems in consuming logs from Windows systems that I’m aware of.


(Gregory West) #7

Thanks! Have read so much on Gray Log in the last 3 weeks. You are right, probably have got things a little mixed up. So far the testing is going good. Even managed to change the GrayLog server IP without any major issues (only minor ones from me forgetting to change a conf file)

Thanks again
Greg


#8

One more difference of TCP/UDP in syslog context. TCP rsyslog is able to throttle. It can (depending on how you configure it) stop the services it is logging, in order to guarantee that no log messages are lost, in case of e.g. network outages or log server outages. UDP rsyslog has no such configuration possibility.


(Gregory West) #9

I am looking at my logs on one of my server, I can see the login information of the fileserver, but not on the graylog server. Do I need to specify all the logs I wish to send to graylog, or can I send them all with :. @@10.10.10.2:8514;RSYSLOG_SyslogProtocol23Format?

Anyone have a sample of that they are using in their rsyslog.conf file to talk to graylog?


(Jochen) #10

(Gregory West) #11

I read that, and am using the . line as described, but I am not getting any of the login information in Graylog. What am I doing wrong?


(Jochen) #12

What inputs have you created in Graylog?
What’s the configuration of these inputs?
Is Graylog accessible from the machines running rsyslog and sending syslog messages?
Is there a packet filter or firewall blocking packets to the correct Graylog input?


(Gregory West) #13

I have created the standard TCP syslog input. That is all I have created thus far. Yes the machine in question is sending the logs as I can see other messages in graylog from that server, just not the login type information. There are no firewalls between the two servers in question


(Jochen) #14

And what’s the configuration of this Syslog TCP input?

What other messages do you receive from that machine?


(Gregory West) #15

the input stream config is:

allow_override_date:
 true
bind_address:
 0.0.0.0
expand_structured_data:
 false
force_rdns:
 false
max_message_size:
 2097152
override_source:
 <empty>
port:
 8514
recv_buffer_size:
 1048576
store_full_message:
 false
tcp_keepalive:
 false
tls_cert_file:
 <empty>
tls_client_auth:
 disabled
tls_client_auth_cert_file:
 <empty>
tls_enable:
 false
tls_key_file:
 <empty>
tls_key_password:
 ********
use_null_delimiter:
 false

Throughput / Metrics
1 minute average rate: 0 msg/s
Network IO: 0B 0B (total: 229.2KB 0B )
Active connections: 5 (5 total)
Empty messages discarded: 0

The other messages I am getting are just status updates and some config errors. The messages I am reading in Graylog from my server ‘cloud’ are in the main log table when I go onto ‘cloud’ and view the syslog file. The login information is not in the main log file on cloud, but is in authen-log file


(Jochen) #16

Are there any other inputs and what’s their configuration?
Also, what’s in the logs of your Graylog node(s)?


(Gregory West) #17

That is the only input I have configured so far.


(Jochen) #18

Try verifying with Wireshark or tcpdump whether any TCP packets arrive at port 8514/tcp on the machine running Graylog.


(Gregory West) #19

I do not understand, I know packets from ‘cloud’ get to graylog server. I can see lots of entries on my Graylog server from cloud. The only thing I can not see is the logs of people login in and out of the server ‘cloud’. There is also only one graylog server in my set up.


(Jochen) #20

As far as I can see, everything is working as expected.

You have only 1 input in Graylog and rsyslog is sending messages to it which are correctly processed by Graylog (otherwise you couldn’t query anything).

If that’s not the case, please elaborate on your problem (what you expect to happen, what actually happens, all relevant configuration settings and logs).