Syslog messages from EMC Unity not visible in Graylog

Hi,

we are using two EMC Unity Storage systems, I have configured both to send logs via syslog to Graylog. But I dont see the messages inside GL. Systems are in the same subnet, so there is no firewall which is filtering the traffic.

I tested Kiwi Syslog as another destination, here I see a lot of incoming messages every minute. So sending syslog messages does work.
I cant find any error in graylog-server logfile on the receiving host.

Then I run tcpdump on the GL system and I also see that syslog messages are received on the graylog server.

image765×585 92.7 KB

But I found that my Lookup Table for reverse DNS lookups is complaining about the hostname. So I disabled processing of this stream in the pipeline which uses this lookup table, but nothing changed.
ERROR [DnsLookupDataAdapter] Could not resolve [A] records for hostname [hostname_spb@emcserial.mydomain.com]. Cause [[hostname_spb@emcserial.mydomain.com] is an invalid hostname. Please supply a pure hostname (eg. api.graylog.com).]

Any advice how to find out why those messages are not visible in Graylog? May the malformed hostname cause this issue? In Kiwi Syslog I only see the IP of the sending device.
I have lot of other systems using Syslog and they all are working.

Graylog Free 3.3.2 on Centos 8

Thank you

1. You are probaly facing problem with timestamp. Your device sends Syslog timestamp in non-standard format. Try to use Raw input, so graylog don’t try to parse timestamp, and create extractor/pipeline rule if you want to parse message.

2. Maybe messages are there in graylog, but in future timestamps, so it can’t show it. Try to search for messages using Absolute time frame selector, and choose interval e.g from one day ago and one day in future.
   https://docs.graylog.org/en/3.3/pages/searching/time_frame_selector.html#absolute-time-frame-selector

Hi shoothub,

this is strange…

I searched without limiting time (“search in all messages”) and I found some messages a few days ago. So I suppose that I dont have a problem with parsing timestamps or timestamps in the past.

Then I tested a Raw UDP and Raw TCP input and I was able to receive all messages with both inputs. Why this is working and why there are no errors in GL log when using the syslog input?

Raw UDP and TCP don’t parse timestamp from message at all, it will use timestamp from date and time of message arrive.

Try to use Absolute time picker, and choose from date - click to first field and choose yesterday on calendar, and click on second field and select tomorrow and search. If you have problem with timestamp (different Timezone, not NTP synced etc.) messages can save in future.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.