Syslog from Ubiquiti EdgeRouter

Graylog Central (peer support)
1

Hi All,

Very new to Graylog, but from what I can see it is a great product.
I am trying to get the log file from our routers in via syslog. From what I can see the Ubiquiti routers are outputting the in correct RFC5424 standard but Graylog is not recording them. I am unable to understand why.

The syslog messages are going directed into graylog on UDP 514 and message from other devices eg rsyslog from linux and some cisco switches are parsed incorrectly but are being saved.The Ubiquiti’ routers are just not being accepted and i am unable to figure out why.

If I use a standard raw/string input the data is saved and I can then use extrators to structure the data, but I then need to find a way to convert the facility and level into different fields.

Below is a packet capture of a few syslog messages from the Ubiquiti router to the Graylog server.

root@graylog:~# tcpdump -n -vv -i eth0 port 514
02:33:04.323090 IP (tos 0x0, ttl 62, id 46424, offset 0, flags [DF], proto UDP (17), length 167)
    10.49.0.1.38127 > 10.1.8.26.514: [udp sum ok] SYSLOG, length: 139
        Facility authpriv (10), Severity info (6)
        Msg: Oct 30 13:33:04 router sudo:     root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/iptables -t nat -L UBNT_PFOR_DNAT_RULES -vnx
        0x0000:  3c38 363e 4f63 7420 3330 2031 333a 3333
        0x0010:  3a30 3420 7062 722d 722d 6231 3120 7375
        0x0020:  646f 3a20 2020 2020 726f 6f74 203a 2054
        0x0030:  5459 3d75 6e6b 6e6f 776e 203b 2050 5744
        0x0040:  3d2f 203b 2055 5345 523d 726f 6f74 203b
        0x0050:  2043 4f4d 4d41 4e44 3d2f 7362 696e 2f69
        0x0060:  7074 6162 6c65 7320 2d74 206e 6174 202d
        0x0070:  4c20 5542 4e54 5f50 464f 525f 444e 4154
        0x0080:  5f52 554c 4553 202d 766e 78
02:33:04.324144 IP (tos 0x0, ttl 62, id 46425, offset 0, flags [DF], proto UDP (17), length 127)
    10.49.0.1.38127 > 10.1.8.26.514: [udp sum ok] SYSLOG, length: 99
        Facility authpriv (10), Severity info (6)
        Msg: Oct 30 13:33:04 router sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
        0x0000:  3c38 363e 4f63 7420 3330 2031 333a 3333
        0x0010:  3a30 3420 7062 722d 722d 6231 3120 7375
        0x0020:  646f 3a20 7061 6d5f 756e 6978 2873 7564
        0x0030:  6f3a 7365 7373 696f 6e29 3a20 7365 7373
        0x0040:  696f 6e20 6f70 656e 6564 2066 6f72 2075
        0x0050:  7365 7220 726f 6f74 2062 7920 2875 6964
        0x0060:  3d30 29
02:33:04.328722 IP (tos 0x0, ttl 62, id 46426, offset 0, flags [DF], proto UDP (17), length 116)
    10.49.0.1.38127 > 10.1.8.26.514: [udp sum ok] SYSLOG, length: 88
        Facility authpriv (10), Severity info (6)
        Msg: Oct 30 13:33:04 router sudo: pam_unix(sudo:session): session closed for user root
        0x0000:  3c38 363e 4f63 7420 3330 2031 333a 3333
        0x0010:  3a30 3420 7062 722d 722d 6231 3120 7375
        0x0020:  646f 3a20 7061 6d5f 756e 6978 2873 7564
        0x0030:  6f3a 7365 7373 696f 6e29 3a20 7365 7373
        0x0040:  696f 6e20 636c 6f73 6564 2066 6f72 2075
        0x0050:  7365 7220 726f 6f74

Any help that could be provided would be fantastic!
Thanks in Advance.

2

  1. Linux should work out of box, if you configure as described in manual:
    https://docs.graylog.org/en/3.1/pages/sending_data.html#sending-syslog-from-linux-hosts

  2. Cisco don’t follow syslog standard. Use some content pack or create own extraction rules.
    https://marketplace.graylog.org/addons?search=catalyst
    Also read this great blogpost:
    https://jalogisch.de/2018/working-with-cisco-asa-nexus-on-graylog/

  3. Your syslog message from ubiquity is definitelly not RFC5424, but older RFC3164 (BSD).
    https://help.ubnt.com/hc/en-us/articles/204975904-EdgeRouter-Remote-Syslog-Server-for-System-Logs
    RFC524 syslog message would be:
    <22>1 2019-10-30T13:18:27.876855+01:00 server postfix 11925 - - connect from abc

  4. Graylog can’t listen on port 514 (lower than 1024) by default, because it isn’t running as root, but normal user. Please don’t try to run graylog service as root, it is not secure at all. So, either use redirect to port 514 using iptables, or setup graylog input on port higher than 1024 and setup your ubiquity firewall to send syslog to this configured port.
    https://docs.graylog.org/en/3.1/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024

  5. If you want to send syslog on different port (than 514) in EdgeRouter configuration, use IP:port
    https://help.ubnt.com/hc/en-us/articles/204975904-EdgeRouter-Remote-Syslog-Server-for-System-Logs
    https://community.ui.com/questions/Sending-firewall-logs-to-remote-syslog-on-non-standard-port/dfec1181-57af-4b0b-bb9b-637389e957e9#answer/198ef4bc-9c50-4d16-b691-0d07fac6177b

  6. Check your timezone… Usually device send message in another timezone, so graylog record message, but can’t find it. Try to change Search interval for longer time (8 hours or so), or change from Relative to asbolute and setup whole day (for example from today to tomorrow). Check also your timezone settings in /etc/graylog/server/server.conf, parameter root_timezone to your real timezone.
    https://docs.graylog.org/en/3.1/pages/configuration/server.conf.html

  7. Use some extractor from marketplace, if you wan to parse messages:
    https://marketplace.graylog.org/addons?search=edgerouter

Hope this helps.

2 Likes
3

hi @shoothub,

Thanks for your reply. Currently using a plaintext UDP input and it works. syslog udp input not working.

  1. Linux is working just fine and I don’t have any issues.

  2. I understand that Cisco doesn’t use standards, and I will use some extractors to get this configured, not my current question and I will look at this at the later date.

  3. On further investigation yes you are correct the Ubiquiti messages that I am getting look correct for RFC 3164 messages. Please see the example below from a configured router. The documentation confirms that RFC3164 is still compatible, so these message should still be parsed and stored.

    <43>Nov 1 09:08:48 router rsyslogd: set SCM_CREDENTIALS failed on ‘/dev/log’: Protocol not available 192.168.1.1 01/11 09:08:48.921
    <6>Nov 1 09:08:48 router kernel: imklog 5.8.11, log source = /proc/kmsg started. 192.168.1.1 01/11 09:08:49.011
    <46>Nov 1 09:08:48 router rsyslogd: [origin software=“rsyslogd” swVersion=“5.8.11” x-pid=“4329” x-info=“http://www.rsyslog.com”] start 192.168.1.1 01/11 09:08:49.016
    <86>Nov 1 09:08:48 router sudo: pam_unix(sudo:session): session closed for user root 192.168.1.1 01/11 09:08:49.021

  4. Yes I understand that Graylog cannot be use port 514 by default., during this testing stage I have used authbind to allow Graylog to use 514 to rule out the rsyslog is not doing something strange when forwarding the messaged to graylog. I get the same results if graylog direct as rsyslog forwarding the messages.

When using the input Syslog(UDP) the message that are recieved from the ubiquiti hardware is not parsed and stored. Is there any log file that I can look at to see why the message are not being parsed and stored?

  1. Yes have try directly to Graylog on another port, still with the same result.

  2. Timezone on all the devices and Graylog is set to the same (AEDT)

  3. I have looked over the marketplace for extrators and have built some of my own.

Thanks for you assistance.

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.