RSYSLOG UDP works but not SYSLOG TCP

Hello,

I setup a test CENTOS 7 server with graylog2 on it to collect server logs that are being sent via rsyslog, however I am only able to see SYSLOG UDP in the web console and not TCP, which is what I would like to use.

No errors seem to be generated, the TCP message just don’t seem to be getting to the destination. Any assistance would be appreciated.

What’s the configuration of rsyslog?
What’s the configuration of the Syslog UDP input?
What’s the configuration of the Syslog TCP input?
Are there any packet filters or firewalls blocking TCP packets?

It turns out it would only work using Raw TCP but for some reason not by port 5140. I had to use another port, not sure why. TY

Just curious, but what type of logs were you attempting to forward toward Graylog? There are several vendors that don’t abide by typical Syslog standards and will this will cause issues when trying to input logs.

Hi Shane,

Since this was a test I was just trying to collect the normal Centos system logs, nothing custom on that VM.

What are the “normal Centos system logs”?
What’s the configuration of the syslog daemon which sends the messages to Graylog?

By normal I mean something that comes in centos by default such as /var/log/messages and not by applications install later such as /var/log/graylog-server/server.log for example.

rsyslog.conf was pettry mych default I just added *.* @@<destination_ip>:5155;GRAYLOG5424

The problem I was having was that I was making rsyslog and graylog listen for logs on the same port. Turns out if you turn off rsyslog from listening and just let graylog’s input rule listen for the messages it works as intended.

And does the GRAYLOG5424 template exist?

Please refer to the syslog guide for details:

Well, yes. You want Graylog to ingest the messages and not rsyslog. :wink:

Yes, the template is setup in /etc/rsysconfig.d/graylog.conf maybe there is a misunderstanding here. This problem is now solved. Thanks for all the help.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.