I recently set up Graylog 2.4.3 on Ubuntu 17.10. I have been able to receive messages on an input created for our Dell Sonic wall 3600 as well as some new Cisco switches (3850 Cisco ISO-XE). I have having troubles setting up our older 3750’s as I am unable to change the default port number. The command "logging host [syslog svr ip] " exists but the “logging host [syslog svr ip] transport udp port [syslog port#]” does not exist as it dose on the newer switches. I have tried adding the following line to the rsyslod.conf file to foward the messages with out any sucesss .@127.0.0.1:514;RSYSLOG_SyslogProtocol23Format (I may be missing something here).
The biggest issue is I am currently running into is I am unable to create an input to listen for messages on port 514. I have read the this is not allowed as it is a reserved port. What confuses me is the documentation for Graylog shows inputs created and running on 514. Every time i create one it fails to start. I am wondering if I am missing something during the initial set up of the Graylog server that allows me to see messages received on port 514.
How you can make Graylog using Port 514 is described in the faq - you can use auth bind to have the ability to run it on port 514.
I did not know how you need to configure your Cisco devices and from what you describe it is not clear how messages flow in your setup - maybe you can describe that, if the above did not solve your issue.
I have set the sonic wall to syslog messages to [syslog server IP] port 12202 and set up and input on graylog to receive messages on 12202. (This was actaully auto created by the Sonicwall content pack that I downloaded from the Graylog Marketplace). (This works)
Cisco 3850 Switch
Set a trap to send to [syslog server IP] port 12203 and and input to receive messages from the 3850 switch on port 12203. (This works)
I am going to try the authbind and see if that works
Is upgrading the switch IOS version an option? I know setting the port on IOS 12.2(58)se2 works. Should upgrade to the current golden version of 15 though which also works.
Here is an excerpt of my config. I used this with the raw input I believe from here
no service timestamps log uptime
no logging message-counter syslog
logging buffered 100000 informational
no logging console
login on-failure log every 2
login on-success log
logging origin-id hostname
logging facility syslog
logging source-interface Vlan1
logging host 10.10.10.110 transport tcp port 12209