Some messages not showing

Not all messages sent to server show up in Graylog. Watching with TCPDUMP/Wireshark I can see the messages coming in the interface but only some messages are being sent on to Graylog. I have an image below that shows a message on the left that appears in Graylog and a message on the right that does not appear in Graylog. I’d love for someone to tell me what is the difference and why it’s behaving this way.

Ubuntu Server 20.04
Graylog 4.3.2-1

The message on the left was sent from a Dell desktop, the message on the right was sent from a Ubiquiti Edgerouter. We have many Edgerouters in production and it appears none of the messages from them are getting into Graylog despite the fact that they are hitting the ethernet port as proven by the tcpdump. I can’t decipher the difference between those message packets and the ones sent from a linux desktop as a test.

wireshark1732×582 47.6 KB

Failed to mention, we have an iptables redirect like this:

iptables -t nat -A PREROUTING -i ens18 -p udp --dport 514 -j REDIRECT --to-port 1514

and the input looks like the following image:

Hello,

For testing purposes have you tried to use a different INPUT for the Ubiquiti Edgerouter (i.e.,Raw/Plaintext UDP)? Might have to add Iptables rule for new port number.

Looks like one on the right needs Authentication/Privilege and the session was closed my root.

Or maybe something like one of these?

iptables -t nat -A PREROUTING -p udp --dport 514 --source 10.30.5.0/24 -j REDIRECT --to-port 1514
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-ports 1514

Also check Graylog log file see if you can find more clues.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.