Problem with displaying messages from "CEF UDP" input

I have a syslog agent that spits out antivirus logs in CEF log format. In graylog I created a CEF UDP input and configured to listen on the required port ( 5141). I’m able to see messages coming through the input because the size is increasing (kb) . But when I click on “Show receiving messages” it doesn’t show anything. The timezone are properly configured to my timezone.

a few ideas:

  • increase the timerange, sometimes old logs are ingested first. click on “show received messages” at the input.
  • for debugging: stop your UDP CEF Input and start a raw UDP input. You should see messages?
  • is there anything in your graylog-log of the application (/var/log/graylog/server/server.log)?

Hello

Add on to @ihe suggestion. Also don’t forget the users have time zones Settings.

My graylog server.log

Hey, @jasongomes

Those messages are for a index template called [.opendistro_security] .
Example of mine using GL 4.3.x ES/OS 1.3.6

[root@graylog streams]# curl -XGET http://10.10.10.10:9200/_cat/templates?pretty
graylog-internal                [graylog_*]                  -1
beats-template                  [beats_*]                    -1
.transform-internal-005         [.transform-internal-005]    0          7100099
security-index-template         [.security-*]                1000
.ml-notifications               [.ml-notifications]          0          6081399
gl-failures-template            [gl-failures_*]              -1
.monitoring-beats               [.monitoring-beats-6-*]      0          6070299
graylog-custom-mapping          [mytemplog]                  0
.watch-history-9                [.watcher-history-9*]        2147483647
linuxserver-template            [linuxserver_*]              -1
.logstash-management            [.logstash]                  0
.triggered_watches              [.triggered_watches*]        2147483647
.transform-notifications-000002 [.transform-notifications-*] 0          7100099
.ml-anomalies-                  [.ml-anomalies-*]            0          6081399
.ml-state                       [.ml-state*]                 0          6081399
.ml-meta                        [.ml-meta]                   0          6081399
.watches                        [.watches*]                  2147483647
gl-events-template              [gl-events_*]                -1
.monitoring-alerts              [.monitoring-alerts-6]       0          6070299
.monitoring-es                  [.monitoring-es-6-*]         0          6070299
.monitoring-kibana              [.monitoring-kibana-6-*]     0          6070299
restored-archive-template       [restored-archive*]          -1
netflow-template                [netflow_*]                  -1
gl-system-events-template       [gl-system-events_*]         -1
.ml-config                      [.ml-config]                 0          6081399
.monitoring-logstash            [.monitoring-logstash-6-*]   0          6070299
firewall-template               [firewall_*]                 -1
[root@graylog streams]#  curl -XGET 10.200.6.70:9200
{
  "name" : "graylog.domain.comt",
  "cluster_name" : "graylog",
  "cluster_uuid" : "OMgi3eu5QGiJ3buKOYn4_w",
  "version" : {
    "distribution" : "opensearch",
    "number" : "1.3.6",
    "build_type" : "rpm",
    "build_hash" : "cbf74db21db3eb4d79c43caeafc23eec592bf697",
    "build_date" : "2022-10-04T20:26:20.628416Z",
    "build_snapshot" : false,
    "lucene_version" : "8.10.1",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "The OpenSearch Project: https://opensearch.org/"
}
[root@graylog streams]#


This is from CEF UDP input


This is from RAW/ PLAINTEXT UDP

so RAW/UDP works? Next step then is to build a parser for those logs.

yep i’ve begun building grok patterns. but the work would have been faster if CEF UDP worked for me

I agree, groking is sometimes painful. I was reading the logs from your CEF once again. I’m not sure, how standard compliant your CEF is. The CEF-Parser in Graylog is quite strict. To get it working we spend already some time with the support.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.