I have created an output, a couple of them in fact, for forwarding traffic from graylog to another host, in this case a siem server, however, nothing is being sent.
I am seeing data processed by graylog, input to it from the source location, but nothing going out which i have verified by traffic dump as i see no pakcets going out and nothing received at the destination.
I have verified that the output is assigned to the correct streams, even created one specifically on the streams, nothing.
I appear to be missing something but i have double checked everything and it all appears right.
Any hints as to what I’m missing.
Hello @rconroy
Is it possible to show all the configurations made for this?
Check if something is blocking ( firewall) messages being sent. Make sure Graylog knows where to go , meaning can you ping the remote host from Graylog server to where the message are supposed to go.
Thank you for the reply
Its a simple forward output, the IP and port are correct and verified as reachable.
Im certain its not a network or firewall issue.
There isn’t much to configure on these others than making sure the IP address and port are accurate, which they are. I set this to use the default port 514.
Out of curiosity have you tried a different port like 5141?
No, ill try it just to see if it sends anything but the siem is of course listening on that port.
update shortly
I tested this without changing the defaults, which was showing 133011.
Then did more interface dumps looking for anything leaving the graylog server to the destination IP or anything reaching the destination from that source, there was nothing.
I see, The reason I suggested a different port above 514 is Syslog by default is UDP/514, but you would need to run Graylog as root to have the listener bind to anything below 1024.
Are you using Outputs for a stream or Forwarder on enterprise version?
Stream output… from the dropdown to select output type i chose “Forwarder output”
Much appreciated, thanks.
all im trying to do right now is get it to forward to the siem.
After I’ve proven that ill look at how to limit it to only certain events if possible but for now I’m just proving concept.
Ok. since I haven’t used this yet I did a quick sweep on the documentation about Forwarder INPUTS
If you are setting up a Forwarder for Graylog on-premise, you will need to create a Forwarder input on the System > Inputs page. Skip this step if you are using Graylog Cloud. This special Forwarder input allows your Graylog nodes to accept connections from Forwarders. This input should only be created once with the Global option checked. This will ensure that the input runs on all Graylog nodes within the cluster.
Found here
If you trying to send logs to a different node then I believe the Output is what you want to use.
Correct, my intent it to send data from graylog to the siem.
Graylog itself is processing the events just fine, works as intended, what i want to do is include siem in the data processing.
Graylog receives the forwards to the siem.
So far it doesn’t seem to be sending anything
That is correct, from the documentation, my understanding is…
Receive data from other forwarders.
Perhaps using the output as shown above would help.
example
Or maybe using the word “Forwarder” is making thing unclear.
You have Output attached to Streams that forward logs to a different device or remote device.
Then you have "Forwards: that collect logs/messages from other "forwarders’ . To make this whole system work you need to create a INPUT Called Forwarder so the remote forwarder can send logs the this INPUT
I quote:
This special Forwarder input allows your Graylog nodes to accept connections from Forwarders. This input should only be created once with the Global option checked. This will ensure that the input runs on all Graylog nodes within the cluster.
I could be wrong but maybe this is why you don’t see logs leaving Graylog to your siem device.
The intent here is to use the output to send to another device.
I have configured outputs on the streams, but nothing is being sent.
The type of output i selected was the “Forwarder Output”, the first one on the list that allows me to enter the remote IP and port to be used.
Hello,
So you have something blocking you output?
When creating the Forward Output On that stream it clearly states the following.
HostName
“The destination host name or IP address where the Graylog Forwarder input is running.”
PORT
" The destination port that the Graylog Forwarder input is listening on."
That’s probably why you do not see any logs. If you need any other type of logs then you will need a Enterprise License
So what you you may need is something like a GELF Output.
Im a little confused by this response, is the point not to send to another host when using ANY forwarder?
The input is by definition on a remote host, be it graylog or whatever other server it may be.
Ther problem is that there is nothing being sent at all.
No packets are leaving the graylog server and nothing is reaching the remote interface. I have verified this by packet dump. Even if the format was wrong or different i should still see packets and traffic going from the graylog server to whatever the remote server is.
The problem is that I’m not seeing any traffic being sent.
Hello,
As I stated before.
The link below would be the definition of forwarders and what they for.
https://docs.graylog.org/docs/forwarder
Outputs on streams: send data to other devices/sources.
Forwarders: Send data from Graylog server to a forwarder INPUT.
Unfortunately I don’t know how you setup your environment. If data is not sent it could be a couple different issues.
I personally would check to insure nothing is blocking the Address to you siems device. If this is true make sure Graylog know the IP address of this siems device.
For better clarity please look at this post.
If your doing something different we would need more information then what stated here to help with this issue.
I have verified nothing is blocking it.
Oddly enough if i use the TCP forwarder it seems like something goes thru, but the server isn’t setup for TCP. I can see the packers and sockets though.
Im perplexed why the UDP is failing.
Can you show this TCP forward? Can not help you if you don’t show what your doing.
Second, I don’t see a TCP forwarder. Perhaps looking at the documentation may help.