Wrong port again, assuming just a forum typo though.
Command: tcpdump -ni lo port 1514

That command should pick up packets being sent to Graylog’s syslog input so, if it’s not reporting any then it’s likely that rsyslog isn’t actually sending anything to the port.
Have you restarted the rsyslog service?

[root@graylog ~]# tcpdump -ni lo port 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
4 packets received by filter
0 packets dropped by kernel
[root@graylog ~]#

Same here with the good port,
I also tried after restarting the rsyslog service without success.

Could you post the output of
sestatus
and
netstat -tulpen
?

Thanks in advance.

Hi Shenke,

[root@graylog etc]# sestatus
SELinux status: disabled
[root@graylog etc]# netstat -tulpen
Connexions Internet actives (seulement serveurs)
Proto Recv-Q Send-Q Adresse locale Adresse distante Etat Utilisatr Inode PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 0 19906 1356/master
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 0 21870 2202/rsyslogd
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 996 20166 1558/mongod
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 0 19294 1165/sshd
tcp6 0 0 ::1:25 :::* LISTEN 0 19907 1356/master
tcp6 0 0 :::514 :::* LISTEN 0 21871 2202/rsyslogd
tcp6 0 0 10.21.67.95:9000 :::* LISTEN 995 21771 1975/java
tcp6 0 0 127.0.0.1:1514 :::* LISTEN 995 22750 1975/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 994 20362 1169/java
tcp6 0 0 ::1:9200 :::* LISTEN 994 20361 1169/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 994 21247 1169/java
tcp6 0 0 ::1:9300 :::* LISTEN 994 20302 1169/java
tcp6 0 0 :::22 :::* LISTEN 0 19296 1165/sshd
udp 0 0 127.0.0.1:323 0.0.0.0:* 0 16682 811/chronyd
udp6 0 0 ::1:323 :::* 0 16683 811/chronyd

Thank you.
What I can see:

• there is a running daemon which uses port 1514
• SELinux is not running

Can you see the running input in your web interface?

If not, please check the output of
ps auxf | grep gray

On one of my hosts it looks like this:
graylog 22934 0.0 0.0 113184 1200 ? Ss 2019 0:00 /bin/sh /usr/share/graylog-server/bin/graylog-server

graylog 22956 138 55.5 15367224 9125680 ? Sl 2019 145035:18 \_ /usr/bin/java -Xms8g -Xmx8g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled -XX:+UseParNewGC -XX:-OmitStackTraceInFastThrow -XX:+UseParNewGC -jar -Dlog4j.configurationFile=file:///etc/graylog/server/log4j2.xml -Djava.library.path=/usr/share/graylog-server/lib/sigar -Dgraylog2.installation_source=rpm /usr/share/graylog-server/graylog.jar server -f /etc/graylog/server/server.conf -np

Yeah my input is running atm.

This looks good.
Do you have entries from your host in Graylog?
You mentioned earlier, that you want to forward logs from a second client to your server. This won’t work at the moment. You’d need to configure the input to 0.0.0.0 or a the address of the NIC you want to use.

Ok,
For my client, what are the configurations to do in the syslog.conf file? Like InputTCPServerRun: port and *. * @@ remote-host: 514? Knowing that I have a NAT 514 redirect to 1514.
Thanks in advance

Yes, just like in the configuration of your localhost, but this time with the IP/FQDN of your Graylog server.

If you define the address of the input to be something different than 127.0.0.1 or 0.0.0.0 you need to change the rsyslog settings on your localhost as well.

Forgot that once and searched for hours

I’m pretty lost right now, I still don’t get a log in “searh” can you help me again ?

Graylog server rsyslog.conf

rsyslog configuration file

For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html

If you experience problems, see RSyslog Documentation - rsyslog

MODULES

The imjournal module bellow is now used as a message source instead of imuxsock.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

Provides UDP syslog reception

#$ModLoad imudp
#$UDPServerRun 514

Provides TCP syslog reception

$ModLoad imtcp
$InputTCPServerRun 514

GLOBAL DIRECTIVES

Where to place auxiliary files

$WorkDirectory /var/lib/rsyslog

Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

File syncing capability is disabled by default. This feature is usually not required,

not useful and an extreme performance hit

#$ActionFileEnableSync on

Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

Turn off message reception via local log socket;

local messages are retrieved through imjournal now.

$OmitLocalLogging on

File to store the position in the journal

$IMJournalStateFile imjournal.state

RULES

Log all kernel messages to the console.

Logging much else clutters up the screen.

#kern.* /dev/console

Log anything (except mail) of level info or higher.

Don’t log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

The authpriv file has restricted access.

authpriv.* /var/log/secure

Log all the mail messages in one place.

mail.* -/var/log/maillog

Log cron stuff

cron.* /var/log/cron

Everybody gets emergency messages

.emerg :omusrmsg:

Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

Save boot messages also to boot.log

local7.* /var/log/boot.log

### begin forwarding rule

The statement between the begin … end define a SINGLE forwarding

rule. They belong together, do NOT split them. If you create multiple

forwarding rules, duplicate the whole block!

Remote Logging (we use TCP for reliable delivery)

An on-disk queue is created for this action. If the remote host is

down, messages are spooled to disk and sent when it is up again.

#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down

remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

. @@127.0.0.1:1514

### end of the forwarding rule

Client Rsyslog conf

MODULES

The imjournal module bellow is now used as a message source instead of imuxsoc k.

$ModLoad imuxsock # provides support for local system logging (e.g. via logger c ommand)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability

Provides UDP syslog reception

#$ModLoad imudp
#$UDPServerRun 514

Provides TCP syslog reception

$ModLoad imtcp
$InputTCPServerRun 514

GLOBAL DIRECTIVES

Where to place auxiliary files

$WorkDirectory /var/lib/rsyslog

Use default timestamp format

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

File syncing capability is disabled by default. This feature is usually not re quired,

not useful and an extreme performance hit

#$ActionFileEnableSync on

Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf

Turn off message reception via local log socket;

local messages are retrieved through imjournal now.

$OmitLocalLogging on

File to store the position in the journal

$IMJournalStateFile imjournal.state

RULES

Log all kernel messages to the console.

Logging much else clutters up the screen.

#kern.* /dev/console

Log anything (except mail) of level info or higher.

Don’t log private authentication messages!

*.info;mail.none;authpriv.none;cron.none /var/log/messages

The authpriv file has restricted access.

authpriv.* /var/log/secure

Log all the mail messages in one place.

mail.* -/var/log/maillog

Log cron stuff

cron.* /var/log/cron

Everybody gets emergency messages

.emerg :omusrmsg:

Save news errors of level crit and higher in a special file.

uucp,news.crit /var/log/spooler

Save boot messages also to boot.log

local7.* /var/log/boot.log

### begin forwarding rule

The statement between the begin … end define a SINGLE forwarding

rule. They belong together, do NOT split them. If you create multiple

forwarding rules, duplicate the whole block!

Remote Logging (we use TCP for reliable delivery)

An on-disk queue is created for this action. If the remote host is

down, messages are spooled to disk and sent when it is up again.

#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down

remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional

. @@10.21.67.95:514

### end of the forwarding rule

Input config

he @VrnGray

as already written by @shenke you need to bind your input to all devices on the Graylog server (speak 0.0.0.0) and not localhost to be able to receive data from different servers on the network

In addititon you have started the input on Port 1514 but your syslog is configured to send to Port 514 that does not match.

Is that right now ?

input1314×541 30.7 KB

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.