How to send from other linux to gralog server?
via udp or tcp i used the following in rsyslog, and restart it
. @graylog.example.org:514;RSYSLOG_SyslogProtocol23Format
but nothing coming in gralog server
Hey @Sharzad
When using Port 514 that a privilege port. I would suggest using port 5140 instead then configure you input to match Rsyslog port 5140. Hope that helps
thank for reply: i have following in my rsys.conf
Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
. @@10.9.71.226:5140;RSYSLOG_SyslogProtocol23Form
and my input is
- allow_override_date:
true
- bind_address:
0.0.0.0
- charset_name:
UTF-8
- expand_structured_data:
false
- force_rdns:
false
- max_message_size:
2097152
- number_worker_threads:
16
- override_source:
- port:
5140
- recv_buffer_size:
1048576
- store_full_message:
true
- tcp_keepalive:
true
- timezone:
Europe/Copenhagen
- tls_cert_file:
- tls_client_auth:
disabled
- tls_client_auth_cert_file:
- tls_enable:
false
- tls_key_file:
- tls_key_password:
- use_null_delimiter:
false
stil no input.
Incoming port tcp/5140 is open in Linux firewall on Graylog server?
And, to display code snippets correctly, they should be formatted as code, like this
i disable firewall. what i have is gralog on incus (lxd) server. and my host is an ubuntu server. Both can see and ping.
What’s your INPUT configuration?
this my input config:
in linux rsyslog.conf is : .@@10.9.71.226:5140;RSYSLOG_SyslogProtocol23Form
and in graylog i select tcp
and my input is
- allow_override_date:
true
- bind_address:
0.0.0.0
- charset_name:
UTF-8
- expand_structured_data:
false
- force_rdns:
false
- max_message_size:
2097152
- number_worker_threads:
16
-
override_source:
-
port:
5140
- recv_buffer_size:
1048576
- store_full_message:
true
- tcp_keepalive:
true
- timezone:
Europe/Copenhagen
-
tls_cert_file:
-
tls_client_auth:
disabled
-
tls_client_auth_cert_file:
-
tls_enable:
false
-
tls_key_file:
-
tls_key_password:
- use_null_delimiter:
false
stil no input.
Hey,
It looks correct. Couple things to check.
- Ensure Both Graylog and the Remote device has port 5140 Opened.
- Restart rsyslog service and check the logs files for errors, warnings, etc…
- You can use tcpdump here and check for your remote device if its send anything over to Graylog. If its not I would look into your remote devices logs find out what’s going on.
EDIT: just to make sure, your input looks like this?
Thanks it working. it was port issue.