Udp/tcp in blocked

Hello guys,
I am new in graylog and im facing one issue with sending logs to my graylog server from remote servers
I have edited rsyslog.conf file in a remote server as required and created input in graylog server but i can not see the logs popping up but i can see this message ifrom graylog logs

graylog

He

how did you installed Graylog? What have you configured how?

Did you checked if you are able to reach the configured input port on Graylog from the sending server?

You should decide if you want to highjack another topic

or have your own - both is not working.

Okay ,so i actually installed Graylog on docker (Ubuntu Server), i followed all the instruction in the graylog documentation on how to install Graylog on Docker.

I tried to reach the configured port 514 from the sending server but it was not successfull, here is the screen short
connection-graylog

In additional i have csf installed in Ubuntu server that is hosting graylog and i have added port 514 for both UDP and TCP INCOMING, so i was wondering if graylog it self is having some kind of firewall!

how does your docker startup command for Graylog - or docker-compose file look like?

It looks like this

I have share a screenshot

He @JonathanKayumbo

I have share a screenshot

No need to give that additional information. It would be more helpful if you copy&paste the content of the file and not post a screenshot.

Did you created in Graylog the Input on port 514 in the Graylog UI?

Sure!
Yes i created both UDP and TCP.

Did you checked if they are running?

Yes they are running fine and i can even receive some logs from one server and one mikrotik (router),
But i cant receive from other important servers

He @JonathanKayumbo

that information was missing - that you can receive messages from some sources and others are blocked. Would be nice to have that information a little earlier in the conversation …

Did you check if the sender can reach Graylog? That it can reach the port and nothing in between is blocking? Sherlock the way from the source to the target in your network, sniff the traffic and see where is it lost.

Maybe the Graylog server.log (so in docker the log of the container) is giving you some information. Maybe the source send invalid syslog messages and they are discarded.

I tried to reach the server(Graylog) on port 514 but i could not from the sending server, but i can see this message from graylog

message

[24865.172333] Firewall: UDP_IN Blocked IN=ens18 OUT= MAC=ff:ff:ff:ff:ff:ff:14:fe:b5:ec:8d:4v:08:00 SRC=41.76.88.7 DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=29364 PROTO=UDP SPT=60323 DPT=1947 LEN=4

This is the sending server sourcw ip SRC=41.76.88.7 , but as you can see ther is UDP_IN Block

May be could be wrong timestamp or something is blocking or discard the rsyslog from the sending server!

Did you see this on the docker host or inside the docker container where Graylog is running?

I am actually sending all the logs from server which is hosting Graylog, to graylog application ( I have created an input for it) as local-host logs

So i got this from Graylog logs messages, i hope it is clear

So what you showed is the log from the host where you run the docker-compose up?

Then you should open the firewall of that host …

Okay , i’m gonna do that and will get back with the results :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.