Hi, I have just installed Graylog for the first time and am having difficulty getting Inputs to generate any messages. I am focusing on Rsyslog TCP at the moment. Just want to see anything get generated. Here is my config below.
Graylog:
Graylog v2.3.2+3df951e
server.conf
is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret = 9Cmqo6p0QVB0YgC9NHDEBKqjjhNGDgv9sEeBuHvogC7NbTBi782mPWlgpUyyig1Jp4byKWYNw0en3oRIoxUhPEMe6803E3yG
root_username = xxxxxxxx
root_password_sha2 = xxxxxxx
root_timezone = -07:00
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http://162.70.27.206:9000/api/
web_listen_uri = http://162.70.27.206:9000/
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000
mongodb_threads_allowed_to_block_multiplier = 5
content_packs_dir = /usr/share/graylog-server/contentpacks
content_packs_auto_load = grok-patterns.json
proxied_requests_thread_pool_size = 32
Linux:
Red Hat Enterprise Linux Server release 7.0 (Maipo)
Java:
java version "1.8.0_151"
Java™ SE Runtime Environment (build 1.8.0_151-b12)
Java HotSpot™ 64-Bit Server VM (build 25.151-b12, mixed mode)
Elasticsearch:
HTTP/1.1 200 OK
content-type: application/json; charset=UTF-8
content-length: 426
{
“name” : “9mn9imw”,
“cluster_name” : “graylog”,
“cluster_uuid” : “vNWjHm-mTZOW249O-ZR-cw”,
“version” : {
“number” : “6.1.0”,
“build_hash” : “c0c1ba0”,
“build_date” : “2017-12-12T12:32:54.550Z”,
“build_snapshot” : false,
“lucene_version” : “7.1.0”,
“minimum_wire_compatibility_version” : “5.6.0”,
“minimum_index_compatibility_version” : “5.0.0”
},
“tagline” : “You Know, for Search”
}
/etc/elasticsearch/elasticsearch.yml
cluster.name: graylog
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 0.0.0.0
Mongodb:
db version v3.6.0
git version: a57d8e71e6998a2d0afde7edc11bd23e5661c915
OpenSSL version: OpenSSL 1.0.1e-fips 11 Feb 2013
allocator: tcmalloc
modules: none
build environment:
distmod: rhel70
distarch: x86_64
target_arch: x86_64
Graylog Server rsyslog.conf:
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imudp
$UDPServerRun 514
$ModLoad imtcp
$InputTCPServerRun 514
$WorkDirectory /var/lib/rsyslog
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/.conf
$OmitLocalLogging on
$IMJournalStateFile imjournal.state
.info;mail.none;authpriv.none;cron.none /var/log/messages
authpriv. /var/log/secure
mail. -/var/log/maillog
cron.* /var/log/cron
.emerg :omusrmsg:
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log
. @@127.0.0.1:5140
Target Server rsyslog.d graylog.conf
. @@graylog.ams.com:514;RSYSLOG_SyslogProtocol23Format
Graylog Input Properties:
Editing Input sat62
Global
Should this input start on all nodes
Node
On which node should this input start
Title
sat62
Bind address
127.0.0.1
Address to listen on. For example 0.0.0.0 or 127.0.0.1.
Port
1514
Port to listen on.
Receive Buffer Size(optional)
1048576
The size in bytes of the recvBufferSize for network connections to this input.
TLS cert file(optional)
Path to the TLS certificate file
TLS private key file(optional)
Path to the TLS private key file
Enable TLS(optional)
Accept TLS connections
TLS key password(optional)
The password for the encrypted key file.
TLS client authentication(optional)
Whether clients need to authenticate themselves in a TLS connection
Expand structured data?(optional)
Expand structured data elements by prefixing attributes with their SD-ID?
TCP keepalive(optional)
Enable TCP keepalive packets
Null frame delimiter?(optional)
Use null byte as frame delimiter? Otherwise newline delimiter is used.
Maximum message size(optional)
2097152
The maximum length of a message.
Override source(optional)
The source is a hostname derived from the received packet by default. Set this if you want to override it with a custom string.
Force rDNS?(optional)
Force rDNS resolution of hostname? Use if hostname cannot be parsed. (Be careful if you are sending DNS logs into this input because it can cause a feedback loop.)
Allow overriding date?(optional)
Allow to override with current date if date could not be parsed?
Store full message?(optional)
Store the full original syslog message as full_message?
TLS Client Auth Trusted Certs(optional)
TLS Client Auth Trusted Certs (File or Directory)
Graylog Server Netstat Output:
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
tcp6 0 0 :::514 :::* LISTEN
tcp6 0 0 127.0.0.1:1514 :::* LISTEN
tcp6 0 0 127.0.0.1:5140 :::* LISTEN
udp 0 0 0.0.0.0:514 0.0.0.0:*
udp6 0 0 :::514 :::*
udp6 0 0 127.0.0.1:5140 :::*