[solved] How i get rsyslog messages in graylog? misunderstanding

Graylog Central (peer support)
1

Hello all :slight_smile:

i’ve installed graylog v2.5.1+34194da on Ubuntu 18.04. The program is working fine. But i’am not able to get data from clients. So i think i misunderstanding something.

On the graylogserver i activated the plugin “syslog” on port 1514. On the clientside i activated the rsyslogdaemon to send logs to graylog on this port:

cat  /etc/rsyslog.d/51-remote.conf
*.* @graylog.local:1514;RSYSLOG_SyslogProtocol23Format

but nothing goes to graylogserver. If i send from the sameclient to the rsyslogserver running on graylog, this is working. So what i’am doing wrong?

Here are the pluginconfig:

allow_override_date: true
bind_address: gaylog.local
expand_structured_data: false
force_rdns: false
override_source: <empty>
port: 1514
recv_buffer_size: 262144
store_full_message: false

Thanks a lot
best regards
boospy

2

Hi @boospy

Is your syslog input listing on UDP or TCP?

Thanks

3

Rsyslog was listening to UDP and receives messages from clients. But i think this is wrong. Graylog should receives the messages.

4

Any firewalls in the way blocking UDP/1514 ?

If you run tcpdump on the graylog host, can you see the packets reaching the server?

5

Yeah, found the failure. Port was closed because of bindadress. Changed from

bind_address: gaylog.local

to

bind_address: ::