Udp/tcp in blocked


(Jonathan Julius Kayumbo) #1

Hello guys,
I am new in graylog and im facing one issue with sending logs to my graylog server from remote servers
I have edited rsyslog.conf file in a remote server as required and created input in graylog server but i can not see the logs popping up but i can see this message ifrom graylog logs


(Jan Doberstein) #2

He

how did you installed Graylog? What have you configured how?

Did you checked if you are able to reach the configured input port on Graylog from the sending server?


(Jan Doberstein) #3

You should decide if you want to highjack another topic

or have your own - both is not working.


(Jonathan Julius Kayumbo) #4

Okay ,so i actually installed Graylog on docker (Ubuntu Server), i followed all the instruction in the graylog documentation on how to install Graylog on Docker.

I tried to reach the configured port 514 from the sending server but it was not successfull, here is the screen short
connection-graylog

In additional i have csf installed in Ubuntu server that is hosting graylog and i have added port 514 for both UDP and TCP INCOMING, so i was wondering if graylog it self is having some kind of firewall!


(Jan Doberstein) #5

how does your docker startup command for Graylog - or docker-compose file look like?


(Jonathan Julius Kayumbo) #6

It looks like this


(Jonathan Julius Kayumbo) #7

I have share a screenshot


(Jan Doberstein) #8

He @JonathanKayumbo

I have share a screenshot

No need to give that additional information. It would be more helpful if you copy&paste the content of the file and not post a screenshot.

Did you created in Graylog the Input on port 514 in the Graylog UI?


(Jonathan Julius Kayumbo) #9

Sure!
Yes i created both UDP and TCP.


(Jan Doberstein) #10

Did you checked if they are running?


(Jonathan Julius Kayumbo) #11

Yes they are running fine and i can even receive some logs from one server and one mikrotik (router),
But i cant receive from other important servers


(Jan Doberstein) #12

He @JonathanKayumbo

that information was missing - that you can receive messages from some sources and others are blocked. Would be nice to have that information a little earlier in the conversation …

Did you check if the sender can reach Graylog? That it can reach the port and nothing in between is blocking? Sherlock the way from the source to the target in your network, sniff the traffic and see where is it lost.

Maybe the Graylog server.log (so in docker the log of the container) is giving you some information. Maybe the source send invalid syslog messages and they are discarded.


(Jonathan Julius Kayumbo) #13

I tried to reach the server(Graylog) on port 514 but i could not from the sending server, but i can see this message from graylog

message

[24865.172333] Firewall: UDP_IN Blocked IN=ens18 OUT= MAC=ff:ff:ff:ff:ff:ff:14:fe:b5:ec:8d:4v:08:00 SRC=41.76.88.7 DST=255.255.255.255 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=29364 PROTO=UDP SPT=60323 DPT=1947 LEN=4

This is the sending server sourcw ip SRC=41.76.88.7 , but as you can see ther is UDP_IN Block

May be could be wrong timestamp or something is blocking or discard the rsyslog from the sending server!


(Jan Doberstein) #14

Did you see this on the docker host or inside the docker container where Graylog is running?


(Jonathan Julius Kayumbo) #15

I am actually sending all the logs from server which is hosting Graylog, to graylog application ( I have created an input for it) as local-host logs


(Jonathan Julius Kayumbo) #16

So i got this from Graylog logs messages, i hope it is clear


(Jan Doberstein) #17

So what you showed is the log from the host where you run the docker-compose up?

Then you should open the firewall of that host …


(Jonathan Julius Kayumbo) #18

Okay , i’m gonna do that and will get back with the results :slight_smile:


(system) closed #19

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.