I have a syslog agent that spits out antivirus logs in CEF log format. In graylog I created a CEF UDP input and configured to listen on the required port ( 5141). I’m able to see messages coming through the input because the size is increasing (kb) . But when I click on “Show receiving messages” it doesn’t show anything. The timezone are properly configured to my timezone.
a few ideas:
- increase the timerange, sometimes old logs are ingested first. click on “show received messages” at the input.
- for debugging: stop your UDP CEF Input and start a raw UDP input. You should see messages?
- is there anything in your graylog-log of the application (/var/log/graylog/server/server.log)?
Hello
Add on to @ihe suggestion. Also don’t forget the users have time zones Settings.
Hey, @jasongomes
Those messages are for a index template called [.opendistro_security] .
Example of mine using GL 4.3.x ES/OS 1.3.6
[root@graylog streams]# curl -XGET http://10.10.10.10:9200/_cat/templates?pretty
graylog-internal [graylog_*] -1
beats-template [beats_*] -1
.transform-internal-005 [.transform-internal-005] 0 7100099
security-index-template [.security-*] 1000
.ml-notifications [.ml-notifications] 0 6081399
gl-failures-template [gl-failures_*] -1
.monitoring-beats [.monitoring-beats-6-*] 0 6070299
graylog-custom-mapping [mytemplog] 0
.watch-history-9 [.watcher-history-9*] 2147483647
linuxserver-template [linuxserver_*] -1
.logstash-management [.logstash] 0
.triggered_watches [.triggered_watches*] 2147483647
.transform-notifications-000002 [.transform-notifications-*] 0 7100099
.ml-anomalies- [.ml-anomalies-*] 0 6081399
.ml-state [.ml-state*] 0 6081399
.ml-meta [.ml-meta] 0 6081399
.watches [.watches*] 2147483647
gl-events-template [gl-events_*] -1
.monitoring-alerts [.monitoring-alerts-6] 0 6070299
.monitoring-es [.monitoring-es-6-*] 0 6070299
.monitoring-kibana [.monitoring-kibana-6-*] 0 6070299
restored-archive-template [restored-archive*] -1
netflow-template [netflow_*] -1
gl-system-events-template [gl-system-events_*] -1
.ml-config [.ml-config] 0 6081399
.monitoring-logstash [.monitoring-logstash-6-*] 0 6070299
firewall-template [firewall_*] -1
[root@graylog streams]# curl -XGET 10.200.6.70:9200
{
"name" : "graylog.domain.comt",
"cluster_name" : "graylog",
"cluster_uuid" : "OMgi3eu5QGiJ3buKOYn4_w",
"version" : {
"distribution" : "opensearch",
"number" : "1.3.6",
"build_type" : "rpm",
"build_hash" : "cbf74db21db3eb4d79c43caeafc23eec592bf697",
"build_date" : "2022-10-04T20:26:20.628416Z",
"build_snapshot" : false,
"lucene_version" : "8.10.1",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "The OpenSearch Project: https://opensearch.org/"
}
[root@graylog streams]#
so RAW/UDP works? Next step then is to build a parser for those logs.
yep i’ve begun building grok patterns. but the work would have been faster if CEF UDP worked for me
I agree, groking is sometimes painful. I was reading the logs from your CEF once again. I’m not sure, how standard compliant your CEF is. The CEF-Parser in Graylog is quite strict. To get it working we spend already some time with the support.