No sign of logs being in the graylog server

I can see my rsyslog client is sending logs to the graylog2 server (docker setup), but I cant seem to see any sign graylog is seeing any logs what so ever. Searching for “ERROR” produces no results.

Firewall rules look ok?

root@ubuntu16-host1:/etc/sysctl.d# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
CATTLE_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain CATTLE_FORWARD (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x1068
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x4000

Chain DOCKER (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:12201
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:9000
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:514

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
root@ubuntu16-host1:/etc/sysctl.d# 

Where do I look next?

I followed the quickstart guide as follows,

$ docker run --name mongo -d mongo:3
$ docker run --name elasticsearch \
    -e "http.host=0.0.0.0" -e "xpack.security.enabled=false" \
    -d docker.elastic.co/elasticsearch/elasticsearch:5.5.1
$ docker run --link mongo --link elasticsearch \
    -p 9000:9000 -p 12201:12201 -p 514:514 \
    -e GRAYLOG_WEB_ENDPOINT_URI="http://127.0.0.1:9000/api" \
    -d graylog/graylog:2.3.0-1

I think the setup is only listening on ipv6?

root@ubuntu16-host1:/etc/sysctl.d# netstat -peanut |grep 514
tcp6       0      0 :::514                  :::*                    LISTEN      0          31990       4812/docker-proxy
root@ubuntu16-host1:/etc/sysctl.d#

?

What’s the configuration of rsyslog?
What’s the configuration of the Syslog input in Graylog?

rsyslog is unaltered except for sending to remote host on last line via tcp. The client is sending I can see it doing so in iptraf-ng.

No idea on what’s configured in syslog input, its as installed. Nothing in the quickstart guide to say I need to do anything I can see.

@gzcwnk Please post the complete configurations I’ve asked for and don’t just describe them.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.