No incoming data


(Andrew B) #1

Hi,

I have just installed graylog and got it all setup and I think running correctly (mainly from the Admin-mag article - even if there were some spelling mistakes in some of the code). But it seems that the data is not being processed by the server.

Please forgive me as I have searched the forums and google, but nothing jumps out as a solution to my problem, I have enough linux knowledge to be dangerous, but in no way an expert, so might need a little hand-holding.

What I have done so far

Graylog running, GELF_UDP input created, added firewall rule to allow 12201/UDP through (this wasnt mentioned any of the guides, so not too sure if it is required)

Installed nxlog on windows box and configured it to send the windows logs to the graylog server, and it seems to be sending data

When I tcpdump on port 12201, I can see the traffic coming in from the windows box, but nothing is being processed.
13:40:47.929595 IP .63650 > 10.52.10.112.12201: UDP, length 680
13:40:47.929602 IP .63650 > 10.52.10.112.12201: UDP, length 684
13:40:47.930082 IP .63650 > 10.52.10.112.12201: UDP, length 685

Please see below for config files that might be useful

graylog server.conf - ignore the spaces after the http - this is to get around the links limit in the forum

is_master = true
node_id_file = /etc/graylog/server/node-id
password_secret =
root_password_sha2 =
plugin_dir = /usr/share/graylog-server/plugin
rest_listen_uri = http ://10.52.10.112:9000/api/
rest_transport_uri = http ://10.52.10.112:9000/api/
web_enable = true
web_listen_uri = http ://10.52.10.112:9000/

nxlog.conf
define ROOT C:\Program Files (x86)\nxlog
Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_gelf # Use for windows vista/2008 and higher: module im_msvistalog Module pm_buffer MaxSize 102400 Type Disk Module om_udp Host 10.52.10.112 Port 12201 OutputType GELF_UDP

<Route 1>
Path in => out

Thanks for any help


Troubleshooting JSON Path from HTTP Input: Quietly fails to fetch due to Basic Authorization and URL format: What logs to inspect to know this?
(Jan Doberstein) #2

are you able to send a message from the command line?

try this first on the Graylog server to be able to check if the error is located near Graylog, second from a network host. This way you need to identify piece by piece where the problem is located.


(Andrew B) #3

Hi Jan,

thanks for the quick reply, I have tried the following

echo -e ‘{“version”: “1.1”,“host”:“example.org”,“short_message”:“Short message”,“full_message”:“Backtrace here\n\nmore stuff”,“level”:1,"_user_id":9001,"_some_info":“foo”,"_some_env_var":“bar”}\0’ | nc -w 1 10.52.10.112 12201

and to 127.0.0.1

but got a “ncat: connection refused.” message

Could this be about the ipv4 and ipv6 issues I have seen people get?


(Jan Doberstein) #4

you tried sending TCP to a UDP input (according to your previous postings)

UDP

echo '{"version": "1.1","host":"example.org","short_message":"A short message that helps you identify what is going on","full_message":"Backtrace here\n\nmore stuff","level":1,"_user_id":9001,"_some_info":"foo","_some_env_var":"bar"}' | gzip | nc -u -w 1 127.0.0.1 12201

TCP

echo '{"version": "1.1","host":"example.org","short_message":"A short message that helps you identify what is going on","full_message":"Backtrace here\n\nmore stuff","level":1,"_user_id":9001,"_some_info":"foo","_some_env_var":"bar"}' | gzip | nc -w 1 127.0.0.1 12201

http://docs.graylog.org/en/2.5/pages/gelf.html?highlight=gelf#sending-gelf-messages-via-udp-using-netcat


(Andrew B) #5

ah ok

Just tried both of those and I still get connection refused!

:frowning:


(Andrew B) #6

ok something just happened, I was messing with the centos firewall and it started working.

I think it was the fact that I hadnt reloaded the firewall!! Doh!

Thanks for your help and pointing me roughly in the right direction. I take it that the system doesnt automatically add the relevant rules when adding inputs?


(Jan Doberstein) #7

I take it that the system doesnt automatically add the relevant rules when adding inputs?

You are right - how should the system know that it need todo this and how on all supported distributions and plattforms.


(Andrew B) #8

As I said my Linux knowledge gets me through most things, I didn’t know if it could detect the system that your software was installed on and from there open the ports that have been specified in the inputs section. Maybe a popup reminder would be nice from a user experience point of view especially first time users.

As someone that wanted to implement the system, but was hampered by an inaccurate instructions in the Admin-mag and no mention of opening any ports on the firewall in the installation documentation on your website. It was more just a comment on improving user adaption to your solution, which I now have working and is awesome. I will be looking forward to have a really good play with it so I can then suggest we move to the enterprise version in the future.

So a big thanks to you sir for your prompt answers and pointing me in the right direction

Andy


(system) closed #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.