Juniper syslog to graylog


(Carsten Roenne) #1

Hi GL,

I would like to receive both security and trafic logs from Juniper firewalls and switches but no luck so far.
I’ve created input for Syslog TCP and Raw/plainText TCP, opened up ports 5555 and 514 in firewalls and on graylog hst, anmd setup sending to syslog from the network devices. I can’t seem to find here i’m done it wrong? Am I missing something. Thanks. :slight_smile:


(Jochen) #2

Please post the complete configuration of the inputs you’re using and the syslog configuration of your Juniper devices.

Additionally, please check whether the network devices are sending any messages at all with Wireshark or tcpdump.


(Carsten Roenne) #3

Hi Jochen,

Firewall are open at 514 udp, on fedora 192.168.37.82 and juniper 192.168.1.1 nat to fedora 192.168.37.82

Juniper srx-320, 192.168.1.1, syslog config - syslogs are coming in to my pc, 192.168.1.16, syslogwatcher: se attached data flow picture

Stream logs:

syslog {
    archive size 100k files 3;
    user * {
        any emergency;
    }
    host 192.168.1.16 {
        any any;
    }
    host 192.168.37.82 {
        any any;
    }
    file messages {
        any critical;
        authorization info;
    }
    file interactive-commands {
        interactive-commands info;
        match UI_CMDLINE_READ_LINE;
    }
    file traffic-log {
        any any;
        match RT_FLOW_SESSION;
    }
    file policy_session {
        user info;
        match RT_FLOW;
        archive size 1000k world-readable;
        structured-data;
    }
}

Security logs:

security {
log {
mode stream;
source-address 192.168.1.1;
stream Graylog {
format syslog;
host {
192.168.37.82;
port 514;
}
}
}

I tried there 3 inputs, and graylog-server service recycled

Graylog raw: udp 514

RAW Raw/Plaintext UDP 0 RUNNING

bind_address:
 0.0.0.0
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144

GELF udp: 514

bind_address:
 0.0.0.0
decompress_size_limit:
 8388608
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144

Syslog Udp : 514

allow_override_date:
 true
bind_address:
 0.0.0.0
expand_structured_data:
 false
force_rdns:
 false
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144

(Jochen) #4

Have you checked if the network packets reach the machine running Graylog with Wireshark or tcpdump?


(Jochen) #6

What input are you using right now?
Did it start correctly on port 514/udp?


(Carsten Roenne) #7

syslog udp 514
no it’s not starting correctly up. It did yesterday, now i’ve tried to recycle services and host but it won’t start.

i ve only one input with udp 514. what to do?


(Carsten Roenne) #8

i’ve changed it to udp/5014 raw/text and it works.


(Jochen) #9

http://docs.graylog.org/en/2.4/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024


(system) #10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.