Syslog sending logs


#1

Hello,
I send the logs of my firewall (palo alto) by syslog on the logs of the firewall I see that it connects to my server graylog but I do not receive te logs on my graylog server.
do you have an idea of ​​what’s going on?


(Jochen) #2

No, because you haven’t provided any information about the setup, such as the complete configuration of all relevant components and their complete logs.

:arrow_right: http://docs.graylog.org/en/2.4/pages/configuration/file_location.html


#3

I just saw no one input syslog work, she operated before
my input switch

2018-06-18T16:41:16.336+02:00 INFO  [AggregatesMaintenance] Removed 0 history items
2018-06-18T16:42:16.335+02:00 INFO  [AggregatesMaintenance] Removed 0 history items
2018-06-18T16:43:16.336+02:00 INFO  [AggregatesMaintenance] Removed 0 history items
2018-06-18T16:43:50.106+02:00 INFO  [InputStateListener] Input [Syslog TCP/5addde8e61a3b40f11d66023] is now STOPPING
2018-06-18T16:43:50.107+02:00 INFO  [InputStateListener] Input [Syslog TCP/5addde8e61a3b40f11d66023] is now STOPPED
2018-06-18T16:43:50.107+02:00 INFO  [InputStateListener] Input [Syslog TCP/5addde8e61a3b40f11d66023] is now TERMINATED
2018-06-18T16:43:50.994+02:00 INFO  [InputStateListener] Input [Syslog TCP/5addde8e61a3b40f11d66023] is now STARTING
2018-06-18T16:43:50.996+02:00 WARN  [NettyTransport] receiveBufferSize (SO_RCVBUF) for input SyslogTCPInput{title=Switch/routeur , type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=c910ac4e-778c-4485-bcda-3aa3f93a0580} should be 1048576 but is 212992.
2018-06-18T16:43:50.997+02:00 INFO  [InputStateListener] Input [Syslog TCP/5addde8e61a3b40f11d66023] is now RUNNING

Conf switch

logging host 192.168.10.1 transport tcp port 1514
logging trap 6
logging on 

i can ping my server graylog from the switch

my input

allow_override_date:
 true
bind_address:
 0.0.0.0
expand_structured_data:
 false
force_rdns:
 false
max_message_size:
 2097152
override_source:
 <empty>
port:
 1514
recv_buffer_size:
 1048576
store_full_message:
 false
tcp_keepalive:
 false
tls_cert_file:
 <empty>
tls_client_auth:
 disabled
tls_client_auth_cert_file:
 <empty>
tls_enable:
 false
tls_key_file:
tls_key_password:
use_null_delimiter:
 false

i dont got more information


#4

My switch input work now


(Jochen) #5

If you provide some details about the problem, other users with the same problem can find it when searching the forum.


(Rob) #6

more info would definitely help, but make sure that you opened port 1514 on the firewall of the graylog server as well.

https://firewalld.org/documentation/man-pages/firewall-cmd.html


#7

I restarted my input and handed the conf to the switch after that it worked

logging host 192.168.10.1 transport tcp port 1514
logging trap 6
logging on

For the firewall it was my bad, I just created the profile he had to select the logs to send. It’s for that on the log of my firewall and my input said connected but i didn’t see a log coming.


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.