Rsyslog not sending logs


(EL HIJAZI) #1

Hello everyone
Well it’ve been while i’m facing this probleme

I am trying hard to send logs from my ubuntu 14.04 ( using Rsyslog) (ip : 192.168.2.36)
To ===> my Graylog Server (192.168.2.37)
well this is the input configuration


and this my rsyslog conf

And when i run Wireshark with this filter i recive nothing
image

i’ll be thankfull if someone can help me !
thank u all ! :slight_smile:

N.B I am using Vmwar


(Jochen) #2

Check the firewall rules and network configuration on the machine running Graylog.


(EL HIJAZI) #3


Thank u for your answer i think the port 1514 is listning :confused:
and i just install this machine for test in vmwar i did not set up any firwall :confused:
Thank you again for your help Mr Jochen


(Jochen) #4

What’s the output of the following commands on the machine running Graylog?

# sudo ufw status verbose
# sudo ufw app list 
# sudo ufw show raw

(EL HIJAZI) #5

Of the Server :


Of the Rsyslog machine :

IPV4 (raw):

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 525 packets, 47963 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 22 packets, 1878 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 3 packets, 354 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 3 packets, 354 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 643 packets, 70086 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 140 packets, 24001 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 5 packets, 434 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 7 packets, 748 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 643 packets, 70086 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 5 packets, 434 bytes)
    pkts      bytes target     prot opt in     out     source               destination         


IPV6:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 62 packets, 4330 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 62 packets, 4330 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 498 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 6 packets, 852 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
Chain PREROUTING (policy ACCEPT 62 packets, 4330 bytes)
    pkts      bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 498 bytes)
    pkts      bytes target     prot opt in     out     source               destination

(EL HIJAZI) #6

here i used ncat to send msg over udp port 1514 and i found in elastic

echo “Testy” | ncat -u 192.168.2.36 1514


so i think it must be a rsyslog issue :confused:


#7

Did you check rsyslog config so that it is actually running and loads your config file? Like rsyslogd -N1

Also: do you run SElinux? If you do, you need to make port 1541 a rsyslogd port with semanage, or else SElinux will not allow rsyslogd to send data there.


(EL HIJAZI) #8

the output of

> rsyslogd -N1

rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
    rsyslogd: error: extra characters in config line ignored: '”<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n”'
    rsyslogd:  Could not find template 'GRAYLOGRFC5424' - action disabled [try http://www.rsyslog.com/e/3003 ]
    rsyslogd: error during parsing file /etc/rsyslog.d/graylog_syslog.conf, on or before line 2: errors occured in file '/etc/rsyslog.d/graylog_syslog.conf' around line 2 [try http://www.rsyslog.com/e/2207 ]
    rsyslogd:  Could not find template 'GRAYLOGRFC5424' - action disabled [try http://www.rsyslog.com/e/3003 ]
    rsyslogd: error during parsing file /etc/rsyslog.d/graylog_syslog.conf, on or before line 3: errors occured in file '/etc/rsyslog.d/graylog_syslog.conf' around line 3 [try http://www.rsyslog.com/e/2207 ]
    rsyslogd: End of config validation run. Bye.

Maybe now i have somthing to solve ? thank u sire


(EL HIJAZI) #9

amine-el-hijazi@ClientSys:~$ rsyslogd -N1
rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.

I think the probleme is fixed but still i don’t recive anything in the sever i have a very stupide how can i make sur that i m genereting logs that will be sent to the server , cauz i tried to restart services and other and nothing is working :frowning: so any idea ?


#10

You can try running rsyslogd in debugging mode with -d.


(Jochen) #11

Also make sure to read the syslog guide:


(EL HIJAZI) #12

Well the probléme is solved !
thank u all very much
what helped me in this topic :
1 cheking my firwall rull
2 cheking the work of Rsyslog rsyslogd -N1
and i just find a stupide mistake in my configuration
And that is !
Thank u all for your help !


(system) #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.