Syslog 514? [Ubuntu Trusty - VM install]


(Omar Abdo) #1

Hi there,
it’s my first time installing Graylog. I have a few network devices sending logs to my Graylog server (I can see them sending messages with nc -lu 514). However, I can’t find any trace of them in

/var/lib/graylog-server/journal
or
/var/log/graylog-server/

I can access the web portal, so I know the service is running O.K. I have added ‘514/udp’ to ufw. Any tips?

TL;DR - I am getting syslog messages but Graylog isn’t storing them.


(brian) #2

Hi,

I am assuming you installed on UBUNTU.
I think applications have to use a port above port number 1024. So set the input on Graylog to listen on a higher port and then configure devices to send to that port.
Another way would be to set graylog to listen on a higher port (e.g 3514) and then redirect port 514 to a port above 1024 (examaple below uses port 3514) through iptables.
Something like
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 3514
(Note you will have to save iptables for rule to remain persistant after reboot)

For CentOS
firewall-cmd --permanent --add-forward-port=port=514:proto=udp:toport=3514

You will also have to allow both ports to listen on the firewall.


(Omar Abdo) #3

Brian,
Thanks for your help. I would like to try port forwarding.
I understand that I should add the higher port number like you specified. Do you know where I should change the port number as well? Currently my rsyslog config says:

$IncludeConfig /etc/rsyslog.d/*.conf
*.* @127.0.0.1:514;RSYSLOG_SyslogProtocol23Format
*.* /var/log/messages

If I add the new port number in the first line there, will that be sufficient? and then I just allow 3514 on ufw.


#4

Yes, you are correct.
And at graylog System/inputs you need to create the input with the same port.


(Omar Abdo) #5

Hi Mack, thanks for the reply.
So far I’ve:

  • Changed port in rsyslog.conf
  • allowed 3514/udp on ufw
  • input the iptables command

Which command do I issue to save iptables? Is it a service that needs to be restarted/enabled to work properly?

Thanks for the continued help.


#6

it’s based on your disribution.
on redhat you need edit /etc/sysconfig/iptables file.
I can suggest to google it.


(Omar Abdo) #7

Ok, thank you again. I installed iptables-persistent.
Now that I’ve redirected and allowed the traffic, what’s the most reliable way to see if traffic is ending up at the new port (3514)? Can I use netcat to listen there?


(Omar Abdo) #8

Everyone,
Thank you for your help. Graylog works now!

For future readers:
Netcat does work on the redirected destination port (3514 for me). Traffic shows up correctly in the /var/lib/graylog-server/journal/messagejournal-0# directory.
Adding an input with source port 3514 works and traffic can be analyzed from the web portal.


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.