Unable to get the logs in graylog gui

Graylog Central (peer support)
1

1. Describe your incident:
I am able to get the logs from all devices that are added to graylog but unable to see the logs from a firewall to my graylog gui although the traffic from that device is visible in the cli.

WhatsApp Image 2022-01-25 at 17.37.26
WhatsApp Image 2022-01-25 at 17.37.261266×705 265 KB

And I get this in /var/log/elasticsearch/graylog.log file.
– cat graylog.log |grep ‘172.20.23.148’

[2022-01-25T17:32:59,998][DEBUG][o.e.a.b.TransportShardBulkAction] [DC-ELASTIC-01] [graylog_3][1] failed to execute bulk item (index) index {[graylog_deflector][message][ad330c80-7dd6-11ec-923d-005056a5b9cb], source[{"date":"2022-01-25,time=17:32:58,devname=","devid":"FGT1KD5818800570","msg":"Delete 2 old report files","tz":"+0530","gl2_remote_ip":"172.20.23.148","gl2_remote_port":9223,"eventtime":"1643112179228197507,tz=","source":"172.20.23.148","type":"event","gl2_source_input":"5ee4aa493751891269f56286","subtype":"system","devname":"DC-DEL-EFW-01","gl2_source_node":"a0c03946-aab2-44b2-a932-ecb6889d495d","timestamp":"2022-01-25 12:02:32.391","level":6,"streams":["000000000000000000000001"],"message":"date=2022-01-25,time=17:32:58,devname=\"DC-DEL-EFW-01\",devid=\"FGT1KD5818800570\",eventtime=1643112179228197507,tz=\"+0530\",logid=\"0100020027\",type=\"event\",subtype=\"system\",level=\"information\",vd=\"root\",logdesc=\"Outdated report files deleted\",msg=\"Delete 2 old report files\"","vd":"root","logdesc":"Outdated report files deleted","20201217":"2","full_message":"<190>date=2022-01-25,time=17:32:58,devname=\"DC-DEL-EFW-01\",devid=\"FGT1KD5818800570\",eventtime=1643112179228197507,tz=\"+0530\",logid=\"0100020027\",type=\"event\",subtype=\"system\",level=\"information\",vd=\"root\",logdesc=\"Outdated report files deleted\",msg=\"Delete 2 old report files\"","logid":"0100020027","facility":"local7"}]}

2. Describe your environment:

  • OS Information: Ubuntu 18.04

  • Package Version: Graylog 3.0.2 and Elasticsearch 6.8

2

Hello

What type of input are you using for your firewall logs?

Could you explain in greater detail of your configuration to ingest firewall logs.

Thanks

3

Thanks for your response.
We are using syslog udp input on port 1514 to collect all message logs. And also created a gelf input on same port.

4

Troubleshooting 101.

Try using RawPlainText UDP for your firewall logs see if that works.
EDIT: If you can keep the default port on that to 5555

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.