Hello everyone
Well it’ve been while i’m facing this probleme
I am trying hard to send logs from my ubuntu 14.04 ( using Rsyslog) (ip : 192.168.2.36)
To ===> my Graylog Server (192.168.2.37)
well this is the input configuration
And when i run Wireshark with this filter i recive nothing
i’ll be thankfull if someone can help me !
thank u all ! 
N.B I am using Vmwar
Check the firewall rules and network configuration on the machine running Graylog.
What’s the output of the following commands on the machine running Graylog?
# sudo ufw status verbose
# sudo ufw app list
# sudo ufw show raw
Of the Server :
Of the Rsyslog machine :
IPV4 (raw):
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 525 packets, 47963 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 22 packets, 1878 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 3 packets, 354 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3 packets, 354 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 643 packets, 70086 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 140 packets, 24001 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 434 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 7 packets, 748 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 643 packets, 70086 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 434 bytes)
pkts bytes target prot opt in out source destination
IPV6:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 62 packets, 4330 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 62 packets, 4330 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 498 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 6 packets, 852 bytes)
pkts bytes target prot opt in out source destination
Chain PREROUTING (policy ACCEPT 62 packets, 4330 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 498 bytes)
pkts bytes target prot opt in out source destination
here i used ncat to send msg over udp port 1514 and i found in elastic
echo “Testy” | ncat -u 192.168.2.36 1514
Did you check rsyslog config so that it is actually running and loads your config file? Like rsyslogd -N1
Also: do you run SElinux? If you do, you need to make port 1541 a rsyslogd port with semanage, or else SElinux will not allow rsyslogd to send data there.
the output of
> rsyslogd -N1
rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: error: extra characters in config line ignored: '”<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n”'
rsyslogd: Could not find template 'GRAYLOGRFC5424' - action disabled [try http://www.rsyslog.com/e/3003 ]
rsyslogd: error during parsing file /etc/rsyslog.d/graylog_syslog.conf, on or before line 2: errors occured in file '/etc/rsyslog.d/graylog_syslog.conf' around line 2 [try http://www.rsyslog.com/e/2207 ]
rsyslogd: Could not find template 'GRAYLOGRFC5424' - action disabled [try http://www.rsyslog.com/e/3003 ]
rsyslogd: error during parsing file /etc/rsyslog.d/graylog_syslog.conf, on or before line 3: errors occured in file '/etc/rsyslog.d/graylog_syslog.conf' around line 3 [try http://www.rsyslog.com/e/2207 ]
rsyslogd: End of config validation run. Bye.
Maybe now i have somthing to solve ? thank u sire
amine-el-hijazi@ClientSys:~$ rsyslogd -N1
rsyslogd: version 7.4.4, config validation run (level 1), master config /etc/rsyslog.conf
rsyslogd: End of config validation run. Bye.
I think the probleme is fixed but still i don’t recive anything in the sever i have a very stupide how can i make sur that i m genereting logs that will be sent to the server , cauz i tried to restart services and other and nothing is working 
so any idea ?
You can try running rsyslogd in debugging mode with -d.
Also make sure to read the syslog guide:
Well the probléme is solved !
thank u all very much
what helped me in this topic :
1 cheking my firwall rull
2 cheking the work of Rsyslog rsyslogd -N1
and i just find a stupide mistake in my configuration
And that is !
Thank u all for your help !
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.