Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question. Don’t forget to select tags to help index your topic!
1. Describe your incident:
Have a watchguard M270 and enabled Syslog logging, port 1514, to be sent to graylog server. Added SyslogUDP, and also TCP port 1514 but nothing is arriving. I have windows and windows server logs arriving, just not the syslog from watchguard firebox. The inputs are running, but to data. What am I missing?
2. Describe your environment:
OS Information: Graylog open source, free version
Package Version:
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
4. How can the community help? Any input if anyone has configured a watchguard box syslog to Graylog server
I’m assuming this is a package install not Docker? If this is correct there are a couple things to check:
1.Make sure port 1514 is opened on the firewall.
2.You can run a tcpdump on graylog for port 1514. root # tcpdump host watchguard
3.Check Date/time on devices
4.Check logs on watchguard M270 for anything that may pertain to this issue. Normally you wont see much logs for UDP, but maybe TCP since its a three-way handshake.
5.Depending on how you set up your inputs, perhaps Try setting them to Global (enable the tic box on top of the INPUT)
6.Perhaps try a different input (i.e. Raw/Plaintext UDP).
7.Check the logs on Graylog for anything that may pertain to this issue.
8.I’m assuming this is a firewall, Check to see if you can ping Graylog server from watchguard.
Showing how you setup your environment would be apperciated.
I’m assuming this is a package install not Docker? If this is correct there are a couple things to check:
1.Make sure port 1514 is opened on the firewall. open
2.You can run a tcpdump on graylog for port 1514. tcpdump -i em1 port 1514 (from watchguard to graylog IP) root # tcpdump host watchguard
3.Check Date/time on devices ok
4.Check logs on watchguard M270 for anything that may pertain to this issue. Normally you wont see much logs for UDP, but maybe TCP since its a three-way handshake.
5.Depending on how you set up your inputs, perhaps Try setting them to Global (enable the tic box on top of the INPUT) Global set
6.Perhaps try a different input (i.e. Raw/Plaintext UDP).
7.Check the logs on Graylog for anything that may pertain to this issue. Don’t see anything
8.I’m assuming this is a firewall, Check to see if you can ping Graylog server from watchguard. yes
Showing how you setup your environment would be apperciated.
Graylog is a centos7, running. Windows event logs are coming through ok, although also having issues trying to get the firewall logs. Seems the only thing working is BEATS with the Windows event logs. What other environment setup do you need?
Its hard to tell what the issue could be. Can you give more information on how you setup your environment? If your unsure what to post, this post will help us, help you.
1.Input types/configurations
2.Log shipper version/type/configuration
3.extractors or pipelines created
4.Logs Elasticsearch/Graylog ( basically look for anything that would pertain to this issue)
5.What type of input are for what type of devices in this environment.
Sum it up, demonstrate how your ingesting logs from a remote device to Graylog.
In that post above it shows how/what to use when posting logs files and/or configuration files.
From the watchguard M270 I enabled syslog server, using port 1514 and pointing to the IP address of the graylog server. I can ping it from the watchguard. I left the syslog facilty for each type of device log message as default.
On the Graylog server I created, under System/inputs, SyslogUDP and SyslogTCP. I do have the ports set for 1514 and the inputs are green and running. When I go to “show received messages: there is nothing displaying.
If I go to the BEATS global input and goto the “Show received messages” I see all the windows computers, and event logs, I set up using the graylog-sidecar installer_1.1.0.1.exe windows agent. I cdan also see the logs if I go into System/Sidecars and select “Show messages”. I HAVN’T SET UP MY DASHBOARD YET BECAUSE I WANTED EVERYTHING WORKING FIRST.
I think I am missing a step or something. Do you need screen shots? If so, what do you need?
Also, I’ve been doing some reading and in order to get windows firewall logs I need to use GELF?
If you noticed I separated my devices with different INPUTs which have different ports. Yes you can use the same port or TCP & UDP but for better organization when configuring Iptables / firewall. I need to use this setup so I do not have port conflictions.
Not being able to see what your doing is difficult to help you with this issue. Some of the question I ask earlier was not answered so I’m only guessing that you have a configuration issue.
What I know is…
watchguard M270 I enabled syslog server, using port 1514
tried different configurations with different ports
you can ping and firewall is open on ports on both
Hello,
We don’t need to go that far with zoom meeting. It just difficult when the result of what was execute is not displayed here. To be honest I don’t get paid for helping I do this on my own time because I like help out if I can. To get a better idea perhaps look over this post.
Also answering any question that a community member ask is very helpful with full details. This gives them an opportunity to understand how you setup your environment… The thing is you may know and see what’s going on but you have to relay that back here in a post so we can understand what the outcome of your execution was and maybe get a feel on why that is happing, right now I can only guess and the lack of information on what the effect on any execution that was taken, its hard to interrupt to give a solution. Hope that helps
Just to let you know I figured out the issue. Using Raw Data, it ended up being a stream issue. I am now getting windows events, computer firewall logs (pfirewall) and data from the Watchguard. I was seeing that I was getting data with an input using Syslog, but wasn’t getting any display. I remember you talking about RAW and with that and a tweak on the stream, I am now getting data.
what your doing is difficult to help you with this issue. Some of the question I ask earlier was not answered so I’m only guessing that you have a configuration issue.