Not seeing all the log entries forwarded from syslog


(Mark) #1

I’ve just installed Graylog on my Debian box.
I configured rsyslog on debian to forward tcp & udp syslog entries to graylog.
I’ve configured multiple network devices to send messages to syslog on the debian box.

When I look in Graylog, I see syslog messages from the Debian host and one network device. None of the log messages from the various other network devices that i have pointed at the syslog server are showing up in Graylog.

When I look in the raw syslog file on the Debian box the entries are there.

Not sure how to troubleshoot this when only SOME messages are forwarded but others apparently are not ??

From the syslog snippet below I only see messages from host 192.168.5.220 and debian01 in graylog

I do NOT see the syslog entries form hosts 192.168.5.221, 192.168.5.222, or several others not shown in this example.

Apr 26 16:54:04 192.168.5.222 hostapd: ath50: STA c8:f7:33:f7:6b:f3 IEEE 802.11: associated
Apr 26 12:54:12 192.168.5.220 %Client-6: (00:10:40:91:7B:73) leaves WLAN(corpwifi) from EWS350AP201(88:DC:96:55:63:8B)
Apr 26 16:54:34 192.168.5.222 hostapd: ath50: STA c8:f7:33:f7:6b:f3 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Apr 26 16:55:01 192.168.5.222 crond[3265]: crond: USER root pid 4025 cmd killall -SIGUSR1 dhcrelay
Apr 26 16:55:01 192.168.5.221 crond[3265]: crond: USER root pid 2559 cmd killall -SIGUSR1 dhcrelay
Apr 26 13:00:01 debian01 CRON[4183]: (root) CMD (if [ -x /usr/bin/mrtg ] && [ -r /etc/mrtg.cfg ] && [ -d “$(grep ‘^[[:space:]][^#][[:space:]]*WorkDir’ /etc/mrtg.cfg | awk ‘{ print $NF }’)” ]; then mkdir -p /var/log/mrtg ; env LANG=C /usr/bin/mrtg /etc/mrtg.cfg 2>&1 | tee -a /var/log/mrtg/mrtg.log ; fi)

I do not see any empty messages being discarded by graylog when I view the inputs.

Would appreciate some direction where I should look to best troubleshoot and resolve this issue.

Thanks


(Jochen) #2

Try creating a Raw/Plaintext input instead of a Syslog input.

Some devices send invalid syslog (at least according to RFC 3164 or RFC 5424) and Graylog will discard these invalid messages.