Syslog messaged not forwarded via proxy

1. Describe your incident:

so i appears the syslog messaged are not being password on by proxy. I have tested on a second setup and this received messages ok. I can now be sure that this is to do with nginx. If i monitor the traffic comming in to the nginx proxy is looks like the syslog messages from switches do not contain a port number so i can only assume nginx is then rejecting the messages. The switches are configure correctly and i have tried varying their configs slightly to test out theories. Has anyone had a similar problem ??My only other consideration is to install graylog on the proxy box and let it process those switch messages. but would then be an odd cluster then.

2. Describe your environment:

Ubuntu Server LTS x4
Mongo and Elasticsearch on x3
nginx on x1

each with 8 cores and 24gb ram

  • Package Version:
    Graylog 6.0.3+eb761c5 (Eclipse Adoptium 17.0.11 on Linux 5.15.0-116-generic)

3. What steps have you already taken to try and solve the problem?

Observed correct information on a temp setup

4. How can the community help?

advice on nginx or my setup

Hello @Primax98

The messages from the switch must be arriving on a port, does tcpdump on the Nginx box give some indication?

Hi there, yes i can see the syslog messages hittting the port on the nginx load balancer. but from what i can tell is that those messages do not contain a port number “IE 514” so it seems that the nginx LB doesnt know what to do with this. I tested this with another syslog product with no LB and works fine. So it must be my LB thats at fault.

Thank you

Paul

@Primax98 feel free to post you nginx config here.

Here is an example of what i mean

13:03:30.663980 eth0 In IP (tos 0x0, ttl 63, id 54721, offset 0, flags [none], proto UDP (17), length 223)
MySwitch.pauly.net.syslog > syslog.pauly.net.syslog: SYSLOG, length: 195
Facility user (1), Severity warning (4)
Msg: Jul 31 12:03:33 192.168.69.5 notice: Notice-Type=‘Running Config Change’,Event-ID= ‘1283’,Config-Method=‘CLI’,Device-Name=‘MySwitch’,User-Name=‘admin’,Remote-IP-Address=‘10 .100.100.100’

example of a message getting through the nginx LB to graylog

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.