I have Debian 10 running on ESXI and graylog installed on top of it per the graybar/debian instructions. I am able to access the web interface on port 9000.
I created my first input for syslog info using UDP port 5140 and setup a few network devices to send the syslogs to the graylog IP and port 5140.
Using TCPDUMP, I see the traffic hitting the Interface but nothing making it to graylog.
The Syslog config:
Is UFW or Firewalld running? While you may see traffic hitting the interface, if any host based firewalls are running, you’ll still have to put a rule in place to allow the traffic.
@chopper
I have a couple question, im not to familiar with Debian. So if i got this right, no firewall/Iptables running. Selinux/Apparmor installed? Checked permissions on Graylog files? Instead of bind_address: 10.14.20.47 have you tried Global setting instead just for troubleshooting? Is there any errors/warnings in the log files on the Graylog server or client?
Apparmor is enabled but does not show to have any enforced profiles for graylog and I am not finding that it is blocking anything, although the debian wiki isn’t the most up to date when it comes to using commands to see what apparrmor is filtering.
No firewall and apparmor is installed by default but I have not found that it is blocking anything. That program is new to me and debian wiki seems to be behind on the commands but I do not see anything in the logs showing that its blocking ports. I have not checked permissions, but did follow the graylog instructions when setting it up. The default was to use the global address and I did try using it first. That was the first thing I changed while troubleshooting this issue. The only error in the graylog log file is about licensing.
The client is a network device running syslog. I’ve attached screenshots showing that the device is making it to the graylog server but not traffic is making it to the input. Being new is always such a pain. I’ll try with seperate posts.
Can you show me your SYSLOG configuration. Its hard to help you if we dont have all the information.
For Network device try configuring "Raw/Plaintest UDP " for your input to see if that helps.