No sign of logs being in the graylog server


(Gzcwnk) #1

I can see my rsyslog client is sending logs to the graylog2 server (docker setup), but I cant seem to see any sign graylog is seeing any logs what so ever. Searching for “ERROR” produces no results.

Firewall rules look ok?

root@ubuntu16-host1:/etc/sysctl.d# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy DROP)
target     prot opt source               destination         
CATTLE_FORWARD  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           
DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain CATTLE_FORWARD (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x1068
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 0x4000

Chain DOCKER (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:12201
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:9000
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.5           tcp dpt:514

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

Chain DOCKER-USER (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           
root@ubuntu16-host1:/etc/sysctl.d# 

Where do I look next?


(Gzcwnk) #2

I followed the quickstart guide as follows,

$ docker run --name mongo -d mongo:3
$ docker run --name elasticsearch \
    -e "http.host=0.0.0.0" -e "xpack.security.enabled=false" \
    -d docker.elastic.co/elasticsearch/elasticsearch:5.5.1
$ docker run --link mongo --link elasticsearch \
    -p 9000:9000 -p 12201:12201 -p 514:514 \
    -e GRAYLOG_WEB_ENDPOINT_URI="http://127.0.0.1:9000/api" \
    -d graylog/graylog:2.3.0-1

(Gzcwnk) #3

I think the setup is only listening on ipv6?

root@ubuntu16-host1:/etc/sysctl.d# netstat -peanut |grep 514
tcp6       0      0 :::514                  :::*                    LISTEN      0          31990       4812/docker-proxy
root@ubuntu16-host1:/etc/sysctl.d#

?


(Jochen) #4

What’s the configuration of rsyslog?
What’s the configuration of the Syslog input in Graylog?


(Gzcwnk) #5

rsyslog is unaltered except for sending to remote host on last line via tcp. The client is sending I can see it doing so in iptraf-ng.


(Gzcwnk) #6

No idea on what’s configured in syslog input, its as installed. Nothing in the quickstart guide to say I need to do anything I can see.


(Jochen) #7

@gzcwnk Please post the complete configurations I’ve asked for and don’t just describe them.


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.