Not seeing any messages after configuring an input

First time setting up graylog and having some issues. I’m not able to see anything when i click on show received messages or do a search. I tried several options (all messages, past and future dates). I see in the upper corner, the in changes between 40 -100 but out is 0.

allow_override_date:
 true
bind_address:
 0.0.0.0
expand_structured_data:
 false
force_rdns:
 false
number_worker_threads:
 20
override_source:
 <empty>
port:
 5514
recv_buffer_size:
 262144
store_full_message:
 false

When I do tcpdump on that port (5514), i do see packets. The firewall is sending the logs to my server on that port.

he @dcfasika

if you see in messages, but not out it is very likely that Graylog is not able to speak to elasticsearch.

You should check your setup on this.

Thank you. Did further debugging and noticed that it was throwing error in the server.log file as seen below.

java.lang.IllegalArgumentException: Invalid format: “2020-02-28T09:12:28.000-4:00” is malformed at “-4:00”

My question is that since it’s not parsing it due to an issue of the log that is being generated, it’s dropping it and hence i wont see it in the out?

When I executed the command, (echo “test123” | nc -w 1 -u 10.82.37.144 5514), i see the output. I’m assuming elasticsearch is working?

I just want to make sure that my setup is good and elasticsearch is good, it’s just the parsing is failing due to invalid format.

As far as the invalid format, can I create extractor to address this error since I cannot get the box that is generating syslog to make any changes.

he @dcfasika

with the limited information from the first post - this was just my guess what is the reason …

When you send in a test message and that is received, visible for searching THAN it is more likely that your messages are lost because of the malformed date …

Understood and thank you for that. It looks like the date format is incorrect. Given that i can’t change the code of the other server, is there other option like creating extractor or any customization i can do on the graylog/elasticsearch side?

@dcfasika

I would go with a RAW Input to receive the input from that server. RAW is like a netcat listening and taking everything. The downside is you need to parse everything out manually. But the upside is - you receive all messages.

Try to change Input from Syslog TCP/UDP to Syslog Raw. After that use extractor or pipeline rules to extract fields. Please post example example full_message.

I changed it to text for input and when i load it to extractor, below are some of the examples. (three types of examples)

<134>2020-02-28T11:39:24.000-4:00 fw-node-1 FLOW: prio=information id=00372 event=flow_opened trafficshaping=n/a route=TMP::Route_1 sessionid=n/a ipsrule=n/a flow_proto=TCP flowfwd_recvif=1_Trusted_Flow recvzone=n/a flowfwd_srcip=10.40.22.54 flowfwd_srcport=34000 flowfwd_destip=10.41.11.24 flowfwd_destport=31000 flowrev_recvif=2_Untrusted_Flow flowrev_recvzone=n/a flowrev_srcip=10.41.11.24 flowrev_srcport=3100 flowrev_destip=10.40.22.54 flowrev_destport=34000 geo_srcregion=“My Network” geo_destregion=“My Network” geo_srccode=XA geo_destcode=XA rule=allow_all ruletype=static ruleorigin=n/a user=n/a userid=n/a action=open logtrace=03bbcf99

<133>2020-02-28T11:44:53.000-4:00 fw-node-1 RULE: prio=notice id=00242 event=disallowed_by_access_rule srcip=10.34.221.7 destip=10.8.1.5 recviface=2_trusted recvzone=n/a recviface=2_trusted recvzone=n/a rule=System::DefaultAccess action=drop logtrace=06da8922

<134>2020-02-28T11:45:07.000-4:00 fw-node-1 FLOW: prio=information id=00379 event=flow_closed_due_to_timeout flow_proto=UDP flowfwd_recvif=2_trusted flowfwd_recvzone=n/a flowfwd_srcip=10.8.21.4 flowfwd_srcport=34355 flowfwd_destip=10.81.0.11 flowfwd_destport=53 flowrev_recvif=OAM_untrust flowrev_recvzone=n/a flowrev_srcip=10.81.0.11 flowrev_srcport=53 flowrev_destip=10.80.33.122 flowrev_destport=34355 flowfwd_pktssent=1 flowfwd_bytessent=81 flowrev_pktssent=0 flowrev_bytessent=0 geo_srcregion=“My Network” geo_destregion=“My Network” geo_srccode=XA geo_destcode=XA rule=allow_all ruletype=static ruleorigin=n/a user=n/a userid=n/a action=close logtrace=04388d33

Thank you.
Mike

Forgot to mentioned, after seeing the error, i changed it to Raw/Plaintext UDP, it’s making it. Now I need to figure out how to create extractor/pipeline rules to extract the fields. If you have some example that is similar to the output I provided, it will be great. Thank you so much.

Please send us type of network device (firewall?), maybe someone has already created content pack (or extractor) for it.

hi,

It’s clavistor firewall.

Thank you.

For basic extractor, you can use following GROK:
<%{NONNEGINT:facility}>%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{IPORHOST:hostname}%{SPACE}%{SYSLOGPROG:program}%{SPACE}%{GREEDYDATA:message}

After that use Key-value extractor (or pipeline rule function key_value) to extract key-value fields from message.

FYI: Clavister firewall doesn’t follow Syslog RFC 5424, because it doesn’t contain version, so graylog couldn’t parse it:
<134>2020-02-28T11:45:07.000-4:100
Correct message would be:
<134>1 2020-02-28T11:45:07.000-4:00
https://tools.ietf.org/html/rfc5424#section-6.2.2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.