Syslog Port 5140 not passing traffic

Graylog
#1

I have Debian 10 running on ESXI and graylog installed on top of it per the graybar/debian instructions. I am able to access the web interface on port 9000.

I created my first input for syslog info using UDP port 5140 and setup a few network devices to send the syslogs to the graylog IP and port 5140.
Using TCPDUMP, I see the traffic hitting the Interface but nothing making it to graylog.
The Syslog config:

allow_override_date: true
bind_address:  10.14.20.47
expand_structured_data: false
force_rdns: false
number_worker_threads: 4
override_source: <empty>
port: 5140
recv_buffer_size: 262144
store_full_message: false
#2

change your search to all messages

and see if it’s a timestamp issue… could be listed in the future or the past.

#3

There is nothing there under search and even under the input, it does not show traffic coming in.

#4

Is UFW or Firewalld running? While you may see traffic hitting the interface, if any host based firewalls are running, you’ll still have to put a rule in place to allow the traffic.

#5

I have not installed any firewall. IPTABLES shows the default of allow everything. PS does not show firewalld or ufw to be installed/running

#6

@chopper
I have a couple question, im not to familiar with Debian. So if i got this right, no firewall/Iptables running. Selinux/Apparmor installed? Checked permissions on Graylog files? Instead of bind_address: 10.14.20.47 have you tried Global setting instead just for troubleshooting? Is there any errors/warnings in the log files on the Graylog server or client?

#7

Is there anything in your journal? is message processing paused?

#8

Apparmor is enabled but does not show to have any enforced profiles for graylog and I am not finding that it is blocking anything, although the debian wiki isn’t the most up to date when it comes to using commands to see what apparrmor is filtering.

#9

The debian wiki says that it logs journal entries is syslog. Doing a search there turned up nothing.

#10

No I meant the graylog journal. Is there anything in there?

Default file locations — Graylog 4.0.0 documentation

#11

There are no entries in the /var/lib/graylog-server/journal/* files

#12

is message journal enabled in the server.conf?

# Enable the disk based message journal.
message_journal_enabled = true
#13

Yes, message_journal_enabled = true

#14

can you send a screenshot of your GUI for System | Nodes | Details?

in particular the process buffers and the journal.

#15

graylog1
graylog13428×1848 322 KB

The plugins list was too long for the screenshot but its all default.

#16

No firewall and apparmor is installed by default but I have not found that it is blocking anything. That program is new to me and debian wiki seems to be behind on the commands but I do not see anything in the logs showing that its blocking ports. I have not checked permissions, but did follow the graylog instructions when setting it up. The default was to use the global address and I did try using it first. That was the first thing I changed while troubleshooting this issue. The only error in the graylog log file is about licensing.

#17

@chopper
What syslog-client are you using to send logs to Graylog-Server?

Can you try a set up Syslog UDP INPUT like this for troubleshooting?

image
image608×941 40.1 KB

#18

The client is a network device running syslog. I’ve attached screenshots showing that the device is making it to the graylog server but not traffic is making it to the input. Being new is always such a pain. I’ll try with seperate posts.

graylog2
graylog21502×537 46.8 KB

#19

Hopefully this will be the second picture

graylog3
graylog31155×567 214 KB

#20

Can you show me your SYSLOG configuration. Its hard to help you if we dont have all the information.
For Network device try configuring "Raw/Plaintest UDP " for your input to see if that helps.