it’s my first time installing Graylog. I have a few network devices sending logs to my Graylog server (I can see them sending messages with nc -lu 514). However, I can’t find any trace of them in
I can access the web portal, so I know the service is running O.K. I have added ‘514/udp’ to ufw. Any tips?
TL;DR - I am getting syslog messages but Graylog isn’t storing them.
I am assuming you installed on UBUNTU.
I think applications have to use a port above port number 1024. So set the input on Graylog to listen on a higher port and then configure devices to send to that port.
Another way would be to set graylog to listen on a higher port (e.g 3514) and then redirect port 514 to a port above 1024 (examaple below uses port 3514) through iptables.
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 3514
(Note you will have to save iptables for rule to remain persistant after reboot)
firewall-cmd --permanent --add-forward-port=port=514:proto=udp:toport=3514
You will also have to allow both ports to listen on the firewall.
Thanks for your help. I would like to try port forwarding.
I understand that I should add the higher port number like you specified. Do you know where I should change the port number as well? Currently my rsyslog config says:
Ok, thank you again. I installed iptables-persistent.
Now that I’ve redirected and allowed the traffic, what’s the most reliable way to see if traffic is ending up at the new port (3514)? Can I use netcat to listen there?
Thank you for your help. Graylog works now!
For future readers:
Netcat does work on the redirected destination port (3514 for me). Traffic shows up correctly in the /var/lib/graylog-server/journal/messagejournal-0# directory.
Adding an input with source port 3514 works and traffic can be analyzed from the web portal.