Syslog 514? [Ubuntu Trusty - VM install]

Hi there,
it’s my first time installing Graylog. I have a few network devices sending logs to my Graylog server (I can see them sending messages with nc -lu 514). However, I can’t find any trace of them in

/var/lib/graylog-server/journal
or
/var/log/graylog-server/

I can access the web portal, so I know the service is running O.K. I have added ‘514/udp’ to ufw. Any tips?

TL;DR - I am getting syslog messages but Graylog isn’t storing them.

Hi,

I am assuming you installed on UBUNTU.
I think applications have to use a port above port number 1024. So set the input on Graylog to listen on a higher port and then configure devices to send to that port.
Another way would be to set graylog to listen on a higher port (e.g 3514) and then redirect port 514 to a port above 1024 (examaple below uses port 3514) through iptables.
Something like
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 3514
(Note you will have to save iptables for rule to remain persistant after reboot)

For CentOS
firewall-cmd --permanent --add-forward-port=port=514:proto=udp:toport=3514

You will also have to allow both ports to listen on the firewall.

Brian,
Thanks for your help. I would like to try port forwarding.
I understand that I should add the higher port number like you specified. Do you know where I should change the port number as well? Currently my rsyslog config says:

$IncludeConfig /etc/rsyslog.d/*.conf
*.* @127.0.0.1:514;RSYSLOG_SyslogProtocol23Format
*.* /var/log/messages

If I add the new port number in the first line there, will that be sufficient? and then I just allow 3514 on ufw.

Yes, you are correct.
And at graylog System/inputs you need to create the input with the same port.

1 Like

Hi Mack, thanks for the reply.
So far I’ve:

  • Changed port in rsyslog.conf
  • allowed 3514/udp on ufw
  • input the iptables command

Which command do I issue to save iptables? Is it a service that needs to be restarted/enabled to work properly?

Thanks for the continued help.

it’s based on your disribution.
on redhat you need edit /etc/sysconfig/iptables file.
I can suggest to google it.

Ok, thank you again. I installed iptables-persistent.
Now that I’ve redirected and allowed the traffic, what’s the most reliable way to see if traffic is ending up at the new port (3514)? Can I use netcat to listen there?

Everyone,
Thank you for your help. Graylog works now!

For future readers:
Netcat does work on the redirected destination port (3514 for me). Traffic shows up correctly in the /var/lib/graylog-server/journal/messagejournal-0# directory.
Adding an input with source port 3514 works and traffic can be analyzed from the web portal.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.