Troubleshoot why logs are not coming in

Hello,

I am using Graylog single node and on version 2.3.0.

I need some help in checking / troubleshooting why my Graylog server is not receiving rsyslog logs from some linux servers. I have done the necessary rsyslog configuration on my linux hosts, however in my Graylog WEB UI i neither see any logs coming in from these servers nor do these servers show up in the list under “Sources” page.

I then tried using tcp dump command on my graylog server to check if its receiving data or not. What’s weird is that tcpdump output is not showing any incoming traffic from any of my sources (even stuff that’s working) . I am successfully receiving logs from cpl of windows hosts & cisco switches. Why is tcpdump not even showing that under here ?

Output of tcpdump:

icssec@gitlab:~$ sudo tcpdump  -i any -v 'port 514'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes

Try specifying the specific network interface instead of any.

What’s the rsyslog configuration of your clients and what’s the configuration of your Graylog inputs?
Are there any firewalls/packet filters blocking packets?
Are you sure that the Syslog input in Graylog is listening on port 514/udp or 514/tcp?

Thank you jochen. It was a tcp v/s udp issue. We have got it to work.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.