Syslog UDP input looks good, but no data in index from it to search

JTHL · 2018-11-09 23:32:14 UTC

I have a Graylog install running. Most of it works fine.

I created a new input for a Syslog UDP data source. It IS recieveing data, both as seen by tcpdump and in the inputs interface.

However, none of the data seems to be searchable.

So I can’t create extractors because there are no messages to base them on. I can’t do it by message ID either, since I can’t find a message to get the ID from.

My input, “cowrie-hpot” doesn’t appear in Sources, and the overridden “source” field doesn’t show up as a source in Search.

My OTHER inputs create data sources that get indexed just fine. I have syslog TCP and UDP coming in, as well as a GELF source from various firewalls, servers, and proxies. So its not that something wrong with the entire GL installation.

What are some things that could be preventing that one input not creating usable data? Where is it going? How do I fix it?
Removing the input and creating a new one didn’t help.
TIA

jan · 2018-11-10 08:17:11 UTC

maybe your source is not sending proper syslog data - or the time is far in the past or in the future.

You might want to create a RAW Input and just point this source to that to see if something is coming in and how that looks like

JTHL · 2018-11-11 03:33:43 UTC

great point! thanks!
is there a parser log that i could look at to see if it has been complaining about incoming data not being proper syslog?

JTHL · 2018-11-11 07:01:40 UTC

You were dead right. Thanks!
Cowrie was sending text logs, but Raw UDP worked fine. Older version of Cowrie didn’t have this problem.
Thanks a ton!