Not receiving any data from inputs

lawdfarquhar · February 14, 2023, 9:26pm

I am moving my graylog instance to another VM on the same network and upgrading to Graylog 5. I have all my inputs built out and added everything to iptables. For some reason I am not getting any data into my inputs.

yum list installed | grep -E ".*(opensearch|graylog|mongo).*"
graylog-5.0-repository.noarch                  1-2                                       @System                                                         
graylog-server.x86_64                          5.0.2-1                                   @graylog                                                        
mongodb-database-tools.x86_64                  100.6.1-1                                 @mongodb-org-6.0                                                
mongodb-org-database-tools-extra.x86_64        6.0.3-1.el8                               @mongodb-org-6.0

[root@graylog2 ~]# tail -100 /var/log/graylog-server/server.log
        at org.glassfish.hk2.utilities.reflection.ReflectionHelper.makeMe(ReflectionHelper.java:1356) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.ClazzCreator.createMe(ClazzCreator.java:248) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.ClazzCreator.create(ClazzCreator.java:342) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.SystemDescriptor.create(SystemDescriptor.java:463) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:59) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.SingletonContext$1.compute(SingletonContext.java:47) ~[graylog.jar:?]
        at org.glassfish.hk2.utilities.cache.Cache$OriginThreadAwareFuture$1.call(Cache.java:74) ~[graylog.jar:?]
        at java.util.concurrent.FutureTask.run(Unknown Source) ~[?:?]
        at org.glassfish.hk2.utilities.cache.Cache$OriginThreadAwareFuture.run(Cache.java:131) ~[graylog.jar:?]
        at org.glassfish.hk2.utilities.cache.Cache.compute(Cache.java:176) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.SingletonContext.findOrCreate(SingletonContext.java:98) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.Utilities.createService(Utilities.java:2102) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:93) ~[graylog.jar:?]
        at org.jvnet.hk2.internal.ServiceHandleImpl.getService(ServiceHandleImpl.java:67) ~[graylog.jar:?]
        at org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.lambda$getAllServiceHolders$0(AbstractHk2InjectionManager.java:136) ~[graylog.jar:?]
        at java.util.stream.ReferencePipeline$3$1.accept(Unknown Source) ~[?:?]
        at java.util.LinkedList$LLSpliterator.forEachRemaining(Unknown Source) ~[?:?]
        at java.util.stream.AbstractPipeline.copyInto(Unknown Source) ~[?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(Unknown Source) ~[?:?]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(Unknown Source) ~[?:?]
        at java.util.stream.AbstractPipeline.evaluate(Unknown Source) ~[?:?]
        at java.util.stream.ReferencePipeline.collect(Unknown Source) ~[?:?]
        at org.glassfish.jersey.inject.hk2.AbstractHk2InjectionManager.getAllServiceHolders(AbstractHk2InjectionManager.java:140) ~[graylog.jar:?]
        at org.glassfish.jersey.inject.hk2.ImmediateHk2InjectionManager.getAllServiceHolders(ImmediateHk2InjectionManager.java:30) ~[graylog.jar:?]
        at org.glassfish.jersey.internal.inject.Providers.getServiceHolders(Providers.java:307) ~[graylog.jar:?]
        at org.glassfish.jersey.internal.inject.Providers.getCustomProviders(Providers.java:151) ~[graylog.jar:?]
        at org.glassfish.jersey.message.internal.MessageBodyFactory.initialize(MessageBodyFactory.java:219) ~[graylog.jar:?]
        at org.glassfish.jersey.message.internal.MessageBodyFactory$MessageBodyWorkersConfigurator.postInit(MessageBodyFactory.java:114) ~[graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$2(ApplicationHandler.java:353) ~[graylog.jar:?]
        at java.util.Arrays$ArrayList.forEach(Unknown Source) ~[?:?]
        at org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:353) ~[graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.lambda$initialize$1(ApplicationHandler.java:297) ~[graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:292) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.process(Errors.java:274) [graylog.jar:?]
        at org.glassfish.jersey.internal.Errors.processWithException(Errors.java:232) [graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.initialize(ApplicationHandler.java:296) [graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:261) [graylog.jar:?]
        at org.glassfish.jersey.server.ApplicationHandler.<init>(ApplicationHandler.java:248) [graylog.jar:?]
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpContainer.<init>(GrizzlyHttpContainer.java:310) [graylog.jar:?]
        at org.glassfish.jersey.grizzly2.httpserver.GrizzlyHttpServerFactory.createHttpServer(GrizzlyHttpServerFactory.java:163) [graylog.jar:?]
        at org.graylog2.shared.initializers.JerseyService.setUp(JerseyService.java:314) [graylog.jar:?]
        at org.graylog2.shared.initializers.JerseyService.startUpApi(JerseyService.java:194) [graylog.jar:?]
        at org.graylog2.shared.initializers.JerseyService.startUp(JerseyService.java:158) [graylog.jar:?]
        at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62) [graylog.jar:?]
        at com.google.common.util.concurrent.Callables$4.run(Callables.java:121) [graylog.jar:?]
        at java.lang.Thread.run(Unknown Source) [?:?]
2023-02-14T14:55:38.241-05:00 INFO  [JerseyService] Started REST API at <xxx.xx.80.9:9000>
2023-02-14T14:55:38.243-05:00 INFO  [ServerBootstrap] Services started, startup times in ms: {InputSetupService [RUNNING]=1, FailureHandlingService [RUNNING]=3, UserSessionTerminationService [RUNNING]=4, ConfigurationEtagService [RUNNING]=6, PrometheusExporter [RUNNING]=6, GracefulShutdownService [RUNNING]=7, UrlWhitelistService [RUNNING]=7, BufferSynchronizerService [RUNNING]=7, OutputSetupService [RUNNING]=7, EtagService [RUNNING]=9, LocalKafkaMessageQueueReader [RUNNING]=9, LocalKafkaMessageQueueWriter [RUNNING]=15, GeoIpDbFileChangeMonitorService [RUNNING]=25, LocalKafkaJournal [RUNNING]=40, LookupTableService [RUNNING]=46, StreamCacheService [RUNNING]=98, JobSchedulerService [RUNNING]=126, MongoDBProcessingStatusRecorderService [RUNNING]=211, PeriodicalsService [RUNNING]=401, JerseyService [RUNNING]=5159}
2023-02-14T14:55:38.250-05:00 INFO  [ServiceManagerListener] Services are healthy
2023-02-14T14:55:38.260-05:00 INFO  [InputSetupService] Triggering launching persisted inputs, node transitioned from Uninitialized [LB:DEAD] to Running [LB:ALIVE]
2023-02-14T14:55:38.282-05:00 INFO  [ServerBootstrap] Graylog server up and running.
2023-02-14T14:55:38.684-05:00 INFO  [InputLauncher] Launching input [Syslog UDP/APC UPS/63ebab2f25bd2940f10a5032] - desired state is RUNNING
2023-02-14T14:55:38.709-05:00 INFO  [InputLauncher] Launching input [Syslog UDP/Barracuda/63ebab6325bd2940f10a50a3] - desired state is RUNNING
2023-02-14T14:55:38.716-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebab2f25bd2940f10a5032] is now STARTING
2023-02-14T14:55:38.717-05:00 INFO  [InputLauncher] Launching input [Syslog TCP/Cylance Syslog TCP/63ebabc425bd2940f10a5171] - desired state is RUNNING
2023-02-14T14:55:38.727-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebab6325bd2940f10a50a3] is now STARTING
2023-02-14T14:55:38.747-05:00 INFO  [InputLauncher] Launching input [GELF UDP/DC2/63ebabfc25bd2940f10a51f1] - desired state is RUNNING
2023-02-14T14:55:38.751-05:00 INFO  [InputStateListener] Input [Syslog TCP/63ebabc425bd2940f10a5171] is now STARTING
2023-02-14T14:55:38.753-05:00 INFO  [InputLauncher] Launching input [GELF UDP/Exchange (local)/63ebac1725bd2940f10a522d] - desired state is RUNNING
2023-02-14T14:55:38.756-05:00 INFO  [InputStateListener] Input [GELF UDP/63ebabfc25bd2940f10a51f1] is now STARTING
2023-02-14T14:55:38.760-05:00 INFO  [InputLauncher] Launching input [Syslog UDP/Firewall/63ebac3125bd2940f10a5266] - desired state is RUNNING
2023-02-14T14:55:38.762-05:00 INFO  [InputStateListener] Input [GELF UDP/63ebac1725bd2940f10a522d] is now STARTING
2023-02-14T14:55:38.773-05:00 INFO  [InputLauncher] Launching input [Syslog UDP/Local Server/63ebac4725bd2940f10a5298] - desired state is RUNNING
2023-02-14T14:55:38.776-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebac3125bd2940f10a5266] is now STARTING
2023-02-14T14:55:38.779-05:00 INFO  [InputLauncher] Launching input [Raw/Plaintext UDP/MDS (cellular)/63ebac6125bd2940f10a52d3] - desired state is RUNNING
2023-02-14T14:55:38.781-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebac4725bd2940f10a5298] is now STARTING
2023-02-14T14:55:38.785-05:00 INFO  [InputLauncher] Launching input [Raw/Plaintext UDP/Meraki/63ebac7225bd2940f10a52fb] - desired state is RUNNING
2023-02-14T14:55:38.792-05:00 INFO  [InputStateListener] Input [Raw/Plaintext UDP/63ebac6125bd2940f10a52d3] is now STARTING
2023-02-14T14:55:38.795-05:00 INFO  [InputLauncher] Launching input [Syslog UDP/Network Switches/63ebac8d25bd2940f10a5334] - desired state is RUNNING
2023-02-14T14:55:38.802-05:00 INFO  [InputStateListener] Input [Raw/Plaintext UDP/63ebac7225bd2940f10a52fb] is now STARTING
2023-02-14T14:55:38.810-05:00 INFO  [InputLauncher] Launching input [GELF UDP/PDC/63ebaca225bd2940f10a5366] - desired state is RUNNING
2023-02-14T14:55:38.813-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebac8d25bd2940f10a5334] is now STARTING
2023-02-14T14:55:38.817-05:00 INFO  [InputLauncher] Launching input [Syslog UDP/Switch - Utility Services/63ebacc925bd2940f10a53b9] - desired state is RUNNING
2023-02-14T14:55:38.820-05:00 INFO  [InputStateListener] Input [GELF UDP/63ebaca225bd2940f10a5366] is now STARTING
2023-02-14T14:55:38.825-05:00 INFO  [InputLauncher] Launching input [Syslog TCP/vCenter/63ebacf625bd2940f10a541d] - desired state is RUNNING
2023-02-14T14:55:38.829-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebacc925bd2940f10a53b9] is now STARTING
2023-02-14T14:55:38.835-05:00 INFO  [InputLauncher] Launching input [Syslog UDP/VMware Horizon/63ebad1125bd2940f10a545a] - desired state is RUNNING
2023-02-14T14:55:38.838-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebad1125bd2940f10a545a] is now STARTING
2023-02-14T14:55:38.836-05:00 INFO  [InputLauncher] Launching input [Syslog UDP/VoIP Gateway/63ebad2725bd2940f10a548c] - desired state is RUNNING
2023-02-14T14:55:38.851-05:00 INFO  [InputStateListener] Input [Syslog TCP/63ebacf625bd2940f10a541d] is now STARTING
2023-02-14T14:55:38.859-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebad2725bd2940f10a548c] is now STARTING
2023-02-14T14:55:38.908-05:00 INFO  [InputStateListener] Input [Syslog TCP/63ebacf625bd2940f10a541d] is now RUNNING
2023-02-14T14:55:38.911-05:00 INFO  [InputStateListener] Input [Syslog TCP/63ebabc425bd2940f10a5171] is now RUNNING
2023-02-14T14:55:38.935-05:00 WARN  [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogTCPInput{title=Cylance Syslog TCP, type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=372c7f7d-de5d-4818-8528-8b927c312b81} (channel [id: 0xecf607e2, L:/[0:0:0:0:0:0:0:0%0]:6514]) should be >= 1048576 but is 425984.
2023-02-14T14:55:38.938-05:00 INFO  [InputStateListener] Input [GELF UDP/63ebac1725bd2940f10a522d] is now RUNNING
2023-02-14T14:55:38.941-05:00 INFO  [InputStateListener] Input [GELF UDP/63ebabfc25bd2940f10a51f1] is now RUNNING
2023-02-14T14:55:38.944-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebad2725bd2940f10a548c] is now RUNNING
2023-02-14T14:55:38.946-05:00 INFO  [InputStateListener] Input [GELF UDP/63ebaca225bd2940f10a5366] is now RUNNING
2023-02-14T14:55:38.948-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebab2f25bd2940f10a5032] is now RUNNING
2023-02-14T14:55:38.951-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebacc925bd2940f10a53b9] is now RUNNING
2023-02-14T14:55:38.952-05:00 INFO  [InputStateListener] Input [Raw/Plaintext UDP/63ebac6125bd2940f10a52d3] is now RUNNING
2023-02-14T14:55:38.957-05:00 WARN  [AbstractTcpTransport] receiveBufferSize (SO_RCVBUF) for input SyslogTCPInput{title=vCenter, type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=372c7f7d-de5d-4818-8528-8b927c312b81} (channel [id: 0xb1953764, L:/[0:0:0:0:0:0:0:0%0]:2190]) should be >= 1048576 but is 425984.
2023-02-14T14:55:38.957-05:00 INFO  [InputStateListener] Input [Raw/Plaintext UDP/63ebac7225bd2940f10a52fb] is now RUNNING
2023-02-14T14:55:38.962-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebad1125bd2940f10a545a] is now RUNNING
2023-02-14T14:55:38.963-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebac4725bd2940f10a5298] is now RUNNING
2023-02-14T14:55:38.967-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebac3125bd2940f10a5266] is now RUNNING
2023-02-14T14:55:38.969-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebac8d25bd2940f10a5334] is now RUNNING
2023-02-14T14:55:38.970-05:00 INFO  [InputStateListener] Input [Syslog UDP/63ebab6325bd2940f10a50a3] is now RUNNING
2023-02-14T15:01:53.142-05:00 INFO  [connection] Opened connection [connectionId{localValue:10, serverValue:10}] to localhost:27017
2023-02-14T15:35:53.218-05:00 INFO  [connection] Opened connection [connectionId{localValue:11, serverValue:11}] to localhost:27017

[root@graylog2 ~]# cat /etc/graylog/server/server.conf         | egrep -v "^\s*(#|$)"
is_leader = true
node_id_file = /etc/graylog/server/node-id
password_secret = xxx
root_password_sha2 = xxx
root_timezone = EST
bin_dir = /usr/share/graylog-server/bin
data_dir = /var/lib/graylog-server
plugin_dir = /usr/share/graylog-server/plugin
http_bind_address = xxx.xx.80.9:9000
http_enable_cors = true
stream_aware_field_types=false
rotation_strategy = count
elasticsearch_max_docs_per_index = 20000000
elasticsearch_max_number_of_indices = 20
retention_strategy = delete
elasticsearch_shards = 4
elasticsearch_replicas = 0
elasticsearch_index_prefix = graylog
allow_leading_wildcard_searches = false
allow_highlighting = false
elasticsearch_analyzer = standard
output_batch_size = 500
output_flush_interval = 1
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
processbuffer_processors = 5
outputbuffer_processors = 3
processor_wait_strategy = blocking
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
message_journal_enabled = true
message_journal_dir = /var/lib/graylog-server/journal
lb_recognition_period_seconds = 3
mongodb_uri = mongodb://localhost/graylog
mongodb_max_connections = 1000

[root@graylog2 ~]# curl -XGET http://localhost:9200/_cluster/health?pretty=true
{
  "cluster_name" : "graylog2",
  "status" : "yellow",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "discovered_master" : true,
  "discovered_cluster_manager" : true,
  "active_primary_shards" : 14,
  "active_shards" : 14,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 1,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 93.33333333333333

[root@graylog2 ~]# curl -XGET http://localhost:9200/_cluster/allocation/explain?pretty
{
  "index" : "security-auditlog-2023.01.12",
  "shard" : 0,
  "primary" : false,
  "current_state" : "unassigned",
  "unassigned_info" : {
    "reason" : "CLUSTER_RECOVERED",
    "at" : "2023-02-14T19:55:15.973Z",
    "last_allocation_status" : "no_attempt"
  },
  "can_allocate" : "no",
  "allocate_explanation" : "cannot allocate because allocation is not permitted to any of the nodes",
  "node_allocation_decisions" : [
    {
      "node_id" : "25l9Y0fCQ8yNyY4UiCVkiw",
      "node_name" : "graylog2",
      "transport_address" : "xxx.xx.80.9:9300",
      "node_attributes" : {
        "shard_indexing_pressure_enabled" : "true"
      },
      "node_decision" : "no",
      "deciders" : [
        {
          "decider" : "same_shard",
          "decision" : "NO",
          "explanation" : "a copy of this shard is already allocated to this node [[security-auditlog-2023.01.12][0], node[25l9Y0fCQ8yNyY4UiCVkiw], [P], s[STARTED], a[id=HRKSoLbNQ_OMYn87qLOMWA]]"
        }
      ]
    }
  ]
}

[root@graylog2 ~]# \netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:27017         127.0.0.1:47060         ESTABLISHED
tcp        0      0 127.0.0.1:27017         127.0.0.1:39074         ESTABLISHED
tcp        0      0 127.0.0.1:27017         127.0.0.1:46268         ESTABLISHED
tcp        0      0 127.0.0.1:27017         127.0.0.1:50742         ESTABLISHED
tcp        0      0 127.0.0.1:27017         127.0.0.1:39078         ESTABLISHED
tcp        0      0 xxx.xx.80.9:22          xxx.xx.69.10:58231      ESTABLISHED
tcp        0      0 127.0.0.1:27017         127.0.0.1:39088         ESTABLISHED
tcp        0      0 127.0.0.1:27017         127.0.0.1:50754         ESTABLISHED
tcp        0      0 127.0.0.1:27017         127.0.0.1:50726         ESTABLISHED
tcp6       0      0 xxx.xx.80.9:9000        :::*                    LISTEN     
tcp6       0      0 :::2190                 :::*                    LISTEN     
tcp6       0      0 :::9200                 :::*                    LISTEN     
tcp6       0      0 :::6514                 :::*                    LISTEN     
tcp6       0      0 :::9300                 :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.69.10:58518      TIME_WAIT  
tcp6       1      0 xxx.xx.80.9:57718       xxx.xx.80.9:9000        CLOSE_WAIT 
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.69.10:58517      TIME_WAIT  
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.80.9:57728       FIN_WAIT2  
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.69.10:58521      TIME_WAIT  
tcp6       0      0 127.0.0.1:9200          127.0.0.1:59186         ESTABLISHED
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.80.9:43160       TIME_WAIT  
tcp6       0      0 127.0.0.1:39074         127.0.0.1:27017         ESTABLISHED
tcp6       0      0 127.0.0.1:39088         127.0.0.1:27017         ESTABLISHED
tcp6       0      0 127.0.0.1:46268         127.0.0.1:27017         ESTABLISHED
tcp6       0      0 127.0.0.1:50726         127.0.0.1:27017         ESTABLISHED
tcp6       0      0 127.0.0.1:59162         127.0.0.1:9200          ESTABLISHED
tcp6       0      0 127.0.0.1:59186         127.0.0.1:9200          ESTABLISHED
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.69.10:58516      TIME_WAIT  
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.80.9:57718       FIN_WAIT2  
tcp6       0      0 127.0.0.1:47060         127.0.0.1:27017         ESTABLISHED
tcp6       0      0 127.0.0.1:9200          127.0.0.1:59148         ESTABLISHED
tcp6       0      0 127.0.0.1:50742         127.0.0.1:27017         ESTABLISHED
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.69.10:58520      TIME_WAIT  
tcp6       0      0 127.0.0.1:9200          127.0.0.1:59170         ESTABLISHED
tcp6       0      0 127.0.0.1:59180         127.0.0.1:9200          ESTABLISHED
tcp6       1      0 xxx.xx.80.9:57728       xxx.xx.80.9:9000        CLOSE_WAIT 
tcp6       0      0 127.0.0.1:50754         127.0.0.1:27017         ESTABLISHED
tcp6       0      0 127.0.0.1:39078         127.0.0.1:27017         ESTABLISHED
tcp6       0      0 127.0.0.1:59148         127.0.0.1:9200          ESTABLISHED
tcp6       0      0 127.0.0.1:59170         127.0.0.1:9200          ESTABLISHED
tcp6       0      0 127.0.0.1:9200          127.0.0.1:59180         ESTABLISHED
tcp6       0      0 127.0.0.1:9200          127.0.0.1:59162         ESTABLISHED
tcp6       0      0 xxx.xx.80.9:9000        xxx.xx.80.9:43172       TIME_WAIT  
udp        0      0 0.0.0.0:50389           0.0.0.0:*                          
udp6       0      0 :::8010                 :::*                               
udp6       0      0 :::9001                 :::*                               
udp6       0      0 :::1202                 :::*                               
udp6       0      0 :::2122                 :::*                               
udp6       0      0 :::2500                 :::*                               
udp6       0      0 :::2502                 :::*                               
udp6       0      0 :::2505                 :::*                               
udp6       0      0 :::3104                 :::*                               
udp6       0      0 :::4170                 :::*                               
udp6       0      0 :::4172                 :::*                               
udp6       0      0 :::4249                 :::*                               
udp6       0      0 :::4251                 :::*                               
udp6       0      0 :::31009                :::*

lawdfarquhar · February 14, 2023, 9:42pm

[jake@graylog2 ~]$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FORWARD_IN_ZONES
-N FORWARD_IN_ZONES_SOURCE
-N FORWARD_OUT_ZONES
-N FORWARD_OUT_ZONES_SOURCE
-N FORWARD_direct
-N FWDI_drop
-N FWDI_drop_allow
-N FWDI_drop_deny
-N FWDI_drop_log
-N FWDI_trusted
-N FWDI_trusted_allow
-N FWDI_trusted_deny
-N FWDI_trusted_log
-N FWDI_work
-N FWDI_work_allow
-N FWDI_work_deny
-N FWDI_work_log
-N FWDO_drop
-N FWDO_drop_allow
-N FWDO_drop_deny
-N FWDO_drop_log
-N FWDO_trusted
-N FWDO_trusted_allow
-N FWDO_trusted_deny
-N FWDO_trusted_log
-N FWDO_work
-N FWDO_work_allow
-N FWDO_work_deny
-N FWDO_work_log
-N INPUT_ZONES
-N INPUT_ZONES_SOURCE
-N INPUT_direct
-N IN_drop
-N IN_drop_allow
-N IN_drop_deny
-N IN_drop_log
-N IN_trusted
-N IN_trusted_allow
-N IN_trusted_deny
-N IN_trusted_log
-N IN_work
-N IN_work_allow
-N IN_work_deny
-N IN_work_log
-N OUTPUT_direct
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j LOG --log-prefix "STATE_INVALID_DROP: "
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j LOG --log-prefix "FINAL_REJECT: "
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j LOG --log-prefix "STATE_INVALID_DROP: "
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j LOG --log-prefix "FINAL_REJECT: "
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i ens192 -g FWDI_work
-A FORWARD_IN_ZONES -i lo -g FWDI_trusted
-A FORWARD_IN_ZONES -g FWDI_drop
-A FORWARD_IN_ZONES_SOURCE -m set --match-set admin-ips src -g FWDI_trusted
-A FORWARD_OUT_ZONES -o ens192 -g FWDO_work
-A FORWARD_OUT_ZONES -o lo -g FWDO_trusted
-A FORWARD_OUT_ZONES -g FWDO_drop
-A FORWARD_OUT_ZONES_SOURCE -m set --match-set admin-ips dst -g FWDO_trusted
-A FWDI_drop -j FWDI_drop_log
-A FWDI_drop -j FWDI_drop_deny
-A FWDI_drop -j FWDI_drop_allow
-A FWDI_drop -j LOG --log-prefix "FWDI_drop_DROP: "
-A FWDI_drop -j DROP
-A FWDI_trusted -j FWDI_trusted_log
-A FWDI_trusted -j FWDI_trusted_deny
-A FWDI_trusted -j FWDI_trusted_allow
-A FWDI_trusted -j ACCEPT
-A FWDI_work -j FWDI_work_log
-A FWDI_work -j FWDI_work_deny
-A FWDI_work -j FWDI_work_allow
-A FWDI_work -p icmp -j ACCEPT
-A FWDO_drop -j FWDO_drop_log
-A FWDO_drop -j FWDO_drop_deny
-A FWDO_drop -j FWDO_drop_allow
-A FWDO_drop -j LOG --log-prefix "FWDO_drop_DROP: "
-A FWDO_drop -j DROP
-A FWDO_trusted -j FWDO_trusted_log
-A FWDO_trusted -j FWDO_trusted_deny
-A FWDO_trusted -j FWDO_trusted_allow
-A FWDO_trusted -j ACCEPT
-A FWDO_work -j FWDO_work_log
-A FWDO_work -j FWDO_work_deny
-A FWDO_work -j FWDO_work_allow
-A INPUT_ZONES -i ens192 -g IN_work
-A INPUT_ZONES -i lo -g IN_trusted
-A INPUT_ZONES -g IN_drop
-A INPUT_ZONES_SOURCE -m set --match-set admin-ips src -g IN_trusted
-A IN_drop -j IN_drop_log
-A IN_drop -j IN_drop_deny
-A IN_drop -j IN_drop_allow
-A IN_drop -j LOG --log-prefix "IN_drop_DROP: "
-A IN_drop -j DROP
-A IN_trusted -j IN_trusted_log
-A IN_trusted -j IN_trusted_deny
-A IN_trusted -j IN_trusted_allow
-A IN_trusted -j ACCEPT
-A IN_trusted_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_trusted_allow -p tcp -m tcp --dport 9000 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work -j IN_work_log
-A IN_work -j IN_work_deny
-A IN_work -j IN_work_allow
-A IN_work -p icmp -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 4170 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 2502 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 4251 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 4249 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 4108 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 4166 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 4172 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 1202 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 2122 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 2500 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 3104 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p tcp -m tcp --dport 6514 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 31009 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p tcp -m tcp --dport 10050 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p udp -m udp --dport 9001 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p tcp -m tcp --dport 6662 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -p tcp -m tcp --dport 2190 -m conntrack --ctstate NEW,UNTRACKED -j ACCEPT
-A IN_work_allow -m conntrack --ctstate NEW,UNTRACKED -m mark --mark 0x64 -j ACCEPT

[jake@graylog2 ~]$ sudo ipset list 
Name: admin-ips
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 2424
References: 7
Number of entries: 48
Members:
xxx.xx.70.15
xxx.xx.69.9
xxx.xx.69.11
xxx.xx.69.10
xxx.xx.69.7
xxx.xx.70.3
xxx.xx.69.0
xxx.xx.70.4
xxx.xx.69.3
xxx.xx.70.5
xxx.xx.80.227
xxx.xx.80.238
xxx.xx.70.14
xxx.xx.80.228
xxx.xx.70.8
xxx.xx.80.239
xxx.xx.69.4
xxx.xx.69.12
xxx.xx.80.229
xxx.xx.80.230
xxx.xx.80.224
xxx.xx.69.1
xxx.xx.69.6
xxx.xx.69.14
xxx.xx.70.12
xxx.xx.69.15
xxx.xx.70.13
xxx.xx.69.2
xxx.xx.70.1
xxx.xx.80.236
xxx.xx.70.2
xxx.xx.80.226
xxx.xx.70.9
xxx.xx.69.8
xxx.xx.70.0
xxx.xx.80.232
xxx.xx.80.233
xxx.xx.69.5
xxx.xx.80.237
xxx.xx.80.235
xxx.xx.70.11
xxx.xx.69.13
xxx.xx.70.7
xxx.xx.70.6
xxx.xx.80.225
xxx.xx.80.234
xxx.xx.80.231
xxx.xx.70.10

dscryber · February 14, 2023, 9:53pm

@lawdfarquhar

Thanks for your post. We have a growing number of community members here who will likely respond to your question. Peer support here comes from practitioners who use Graylog daily and may be able to help.

In the meanwhile, I’ve put together a checklist of items to consider that may be causing or contributing to your problem. Please let me know if this list is helpful.

Checklist to Diagnose a Lack of data into Inputs

Have you verified that your inputs are correctly configured and enabled in Graylog 5?
Are your iptables rules properly configured to allow traffic to and from the new VM?
Have you checked to see if you have any firewall rules on the new VM blocking incoming traffic?
Are the Graylog ports already in use by other services on the new VM?
Have you verified that your data sources are sending data to the correct IP address and port number of the new Graylog VM?
Have you checked the data sources logs to see if they are reporting any issues with sending data to the new Graylog instance?
Have you checked the Graylog server log for any errors or warnings that could indicate an issue with your inputs?

If you’re still having trouble, please provide us with any additional information, such as the configuration of your inputs and the log output from the Graylog server, to help diagnose the problem.

gsmith · February 14, 2023, 10:41pm

Hey @lawdfarquhar

I would look into ES/OS, should be in Green.

Best way to troubleshoot this issue is Disable your firewall.
Save IpTables, once saved then flush you tables. see if that works. If not then just restart you tables all your setting should be there. Always make a backup.

If you do then you know its your firewall. If you have SElinux/Apparmor enbled, I would check that also.

lawdfarquhar · February 15, 2023, 3:41pm

Yeah I posted the curl -XGET http://localhost:9200/_cluster/allocation/explain?pretty In the original post and I see why it’s yellow but I don’t know how to fix that "Security-auditlog-2023.01.12 error.

Iptables is running and SElinux and firewalld are disabled. I exported and imported the iptables from my working graylog to this graylog so I’m pretty confident that is not the problem.

lawdfarquhar · February 15, 2023, 4:03pm

Figured it out. NXlog service needed to be restarted.

gsmith · February 15, 2023, 10:10pm

sometime its the simple things

system · March 1, 2023, 10:11pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.