I have SEPM pointed to TCP/1514 and I can see the logs via tcpdump, however Graylog does not appear to be receiving them. Other things are having no issues communicating with that port, but just this.
Any ideas of where to start? (ignore the fujitsu-dtcns as thats just tcpdump using common ideas for port 1514)
Hey @giveen
Have you check the Timezone by chance on both devices?
Yes, the time is 2 hours different, it might be the reason.
Maybe also look into the error log. Maybe they are getting dropped for a random reason like invalid timestamp.
The packet capture and the tcpdump were from two different times. I didnt capture them at the same time.
This was working just fine on Graylog 4, I created a new RH8 server, set my settings exactly the same for Graylog and had the SEPM server pointed to the new server.
All times line up.
Hey @giveen
By chance have you tried using a different Input?
I did send it to RAW input and it works BUT it jumbles tons of messages together which makes parsing impossible.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
