I am having trouble receiving Syslog messages. I am new to Graylog, I am reaching out to this community hoping someone can help me.
I have a newly installed Mint OS 20.3 machine which I use to run my application. Besides my application, I want to run Graylog as well to receive Syslog messages from other Linux machines in the network.
After installing Mint OS I setup the IP address and disable the firewall. After that, I followed the instruction Debian installation - Installing Graylog to install Graylog version 4.2.7. I only edited password_secret & root_password_sha2 in /etc/graylog/server/server.conf file. At the end of the installation, I am to launch and login to the Graylog webpage.
Next, I went to System>Inputs to create a Syslog UDP input. It is appeared as,
allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
number_worker_threads: 4
override_source:
port: 1514
recv_buffer_size: 262144
store_full_message: true
and appeared RUNNING (in Green).
Next, I went to my Linux client and add MintOS/Graylog server IP and UDP port 1514 in its Syslog settings and restart the service. I can see the Syslog messages are going out from this Linux client but they are not appearing in the Graylog search.
One thing I noticed is that there is no LISTENING active happening on port 1514 in the Graylog server.
I hope one of you can guide me from here. Please let me know if you need any other details.
Can I ask what Logging shipper you are using, Also can you show how this is configured?
Just to double check, I assume that Elasticsearch MongoDb status is good? I didn’t noticed anything stating about looking into log files ( i.e. Graylog, Elasticsearch, MongoDb)? I assume there are no errors or anything pertaining to this issue?
Since you have no firewall that should not be an issue. You best bet would be using TCPDUMP on Graylog Server.
Example, find out if the remote host is sending messages to the Graylog server.
tcpdump host 1.1.1.1
This would be the first step to find out were the issue is.
I didn’t check the system for a while but today when I went to check it again I see the logs are coming in. However, it looks like they are old messages.
Timezone of the Graylog server, Graylog server.conf file and syslog client are set to Pacific Time as they are located in this region. I know the Syslog messages coming out from syslog-client don’t have timestamps.
Is there a way to see the messages immediately in Graylog search, the moment they arrive?
