Watchguard Syslog not showing messages in search

Graylog Add-ons
#1

So, I tried setting up a Syslog UDP to get the Watchguard Logs - sent in Syslog format. No good - the Input showed messages coming in - but nothing showed in search.
I found the All In One Watchguard content pack and installed it. Nice dashboards, input shows messages coming in, it has extractors - but nothing shows up in search, nor in the dashboards.

My system: Graylog 4.0.1+6a0cc0b on Red Hat, Inc. 1.8.0_275 on Linux 4.18.0-240.1.1.el8_3.x86_64

Watchguard is on the same subnet, rules applied, and, according to the input, getting to the server.

Does syslog UDP just not work?

Any tips?

#2

Well, It seems they just started showing up. Took maybe 30 minutes - I saw the entries from the watchguard - and I searched again and they were gone. Not sure how/why they showed up for that brief moment - but that tells me that they are in there somewhere…

How to get the to show up consistently?!?

I think I can see them if I put the Source name ( “MyWatchguardName” ) as the search term.
I mean, I can - at least once.

… Looking further, the Firewall logs show in a burst - and then other logs push them down in the logs…
…and now they are showing up… … weird. I’ll leave this here instead of deleting -

Still welcome any tips and tricks other than “Be patient, it takes a while”

#3

Probably problem with timestamps. If there is time and date in message, compare with timestamp field saved by graylog. If timestamps is saved in the future, you will see them also in future, not immediately.

Please post example of full message, and timestamp.

1 Like
#4

Time is it! We are on CST, they are on EST and Graylog is set to UTC.

I’ve got to see how to get those syncing up - its 8:55 there, 7:55 here and logs are showing 13:55 UTC.

I updated the Graylog server to be (accurately) in EST and everything looks good!

Thank you!

#5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.