Ha,
Now i did defined a port in /etc//rsyslog.conf as
*.* @@162.20.100.27:9300
and my graylog server input as syslog_TCP with port 9300 and bind address:
162.20.100.27
My log is clear :
2016-08-16T15:17:13.831-04:00 WARN [NettyTransport] receiveBufferSize
(SO_RCVBUF) for input SyslogTCPInput{title=!0.12.100.15,
type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=null} should be
1048576 but is 212992.
2016-08-16T15:17:13.842-04:00 INFO [InputStateListener] Input [Syslog
TCP/57b36663eb183f7ccc9de01a] is now RUNNING
As per my knowledge :
We can configure 514 port in syslog and same port as input in graylog input
right?
Thank you
On Tuesday, August 16, 2016 at 12:10:09 PM UTC-7, Ha NN wrote:
>
> Hi Sam,
>
> you cannot capture anything if nothing is listening on that port. I guess
> there is something wrong with your graylog input config. Mby you should
> have a look into the graylog log.
>
> Am 16.08.2016 9:04 nachm. schrieb "sam" <[email protected] <javascript:>>:
>
>> Hi Ha,
>>
>>
>> below is the log fro tcpdumb
>>
>> tcpdump -i eth0 port 5140
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
>>
>> 0 packets captured
>> 1 packets received by filter
>> 0 packets dropped by kernel
>>
>> Thank you
>>
>>
>> On Tuesday, August 16, 2016 at 11:57:31 AM UTC-7, Ha NN wrote:
>>>
>>> Hi Sam,
>>>
>>> you can get your interface number with
>>>
>>> ifconfig -a
>>>
>>> you need the interface for the ip 162.20.100.27. Something like eth0,
>>> eth1. So the command should look like
>>>
>>> tcpdump -i eth0 port 5140
>>>
>>> No you cannot use port 16001 because its in use. Mby you should double
>>> check your syslog input in graylog.
>>>
>>> Am 16.08.2016 8:44 nachm. schrieb "sam" <[email protected]>:
>>>
>>>> Hi Ha,
>>>>
>>>> I cant able to use this one :
>>>>
>>>> tcpdump -i ethX port 5140 where ;
>>>>
>>>>
>>>> tcpdump -i eth162.20.100.27 port 5140 (Can you please let me know
>>>> whether I am using the right one)
>>>>
>>>>
>>>> Can I use 16001 to configure syslog to receive the logs ???
>>>>
>>>> Thank you Ha
>>>>
>>>>
>>>>
>>>>
>>>> On Tuesday, August 16, 2016 at 11:36:29 AM UTC-7, Ha NN wrote:
>>>>>
>>>>> Hi Sam,
>>>>>
>>>>> there is nothing on port 5140.
>>>>>
>>>>> Am 16.08.2016 8:21 nachm. schrieb "sam" <[email protected]>:
>>>>>
>>>>>> Hi Ha,
>>>>>>
>>>>>> below is the output for netstat -tulpen: where my graylog address
>>>>>> is : 162.20.100.27
>>>>>>
>>>>>> Active Internet connections (only servers)
>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address
>>>>>> State User Inode PID/Program name
>>>>>> tcp 0 0 162.20.100.27:16001 0.0.0.0:*
>>>>>> LISTEN 0 14422 1311/python
>>>>>> tcp 0 0 127.0.0.1:27017 0.0.0.0:*
>>>>>> LISTEN 499 21667 2180/mongod
>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:*
>>>>>> LISTEN 0 14409 1651/sshd
>>>>>> tcp 0 0 ::ffff:162.20.100.27:12900 :::*
>>>>>> LISTEN 497 570097 30968/java
>>>>>> tcp 0 0 ::ffff:127.0.0.1:9350 :::*
>>>>>> LISTEN 497 570036 30968/java
>>>>>> tcp 0 0 ::1:9350 :::*
>>>>>> LISTEN 497 570035 30968/java
>>>>>> tcp 0 0 ::ffff:162.20.100.27:9000 :::*
>>>>>> LISTEN 497 569340 30968/java
>>>>>> tcp 0 0 :::12201 :::*
>>>>>> LISTEN 497 610172 30968/java
>>>>>> tcp 0 0 ::ffff:127.0.0.1:9200 :::*
>>>>>> LISTEN 498 103819 25135/java
>>>>>> tcp 0 0 ::1:9200 :::*
>>>>>> LISTEN 498 103818 25135/java
>>>>>> tcp 0 0 ::ffff:127.0.0.1:9300 :::*
>>>>>> LISTEN 498 103168 25135/java
>>>>>> tcp 0 0 ::1:9300 :::*
>>>>>> LISTEN 498 103791 25135/java
>>>>>> tcp 0 0 :::22 :::*
>>>>>> LISTEN 0 14411 1651/sshd
>>>>>> udp 0 0 0.0.0.0:68 0.0.0.0:*
>>>>>> 0 13290 1594/dhclient
>>>>>> udp 0 0 162.20.100.27:123 0.0.0.0:*
>>>>>> 0 30140 2804/ntpd
>>>>>> udp 0 0 127.0.0.1:123 0.0.0.0:*
>>>>>> 0 30139 2804/ntpd
>>>>>> udp 0 0 0.0.0.0:123 0.0.0.0:*
>>>>>> 0 30132 2804/ntpd
>>>>>> udp 0 0 :::12201 :::*
>>>>>> 497 611311 30968/java
>>>>>> udp 0 0 fe80::20d:3aff:fe01:162b:123 :::*
>>>>>> 0 30142 2804/ntpd
>>>>>> udp 0 0 ::1:123 :::*
>>>>>> 0 30141 2804/ntpd
>>>>>> udp 0 0 :::123 :::*
>>>>>> 0 30133 2804/ntpd
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Monday, August 15, 2016 at 11:14:42 PM UTC-7, Ha NN wrote:
>>>>>>>
>>>>>>> Hi Sam
>>>>>>>
>>>>>>> please make sure that graylog is listening on the right port.
>>>>>>>
>>>>>>> give us the output for
>>>>>>>
>>>>>>> netstat -tulpen
>>>>>>>
>>>>>>> Please make sure that you are sending data on that port with
>>>>>>>
>>>>>>> tcpdump -i ethX port 5140
>>>>>>>
>>>>>>> Replace the x with your interface.
>>>>>>>
>>>>>>> Am 16.08.2016 6:53 vorm. schrieb "sam" <[email protected]>:
>>>>>>> >
>>>>>>> > Hi Jason,
>>>>>>> >
>>>>>>> >
>>>>>>> > Graylog is installed in linux server. I used rpm package for
>>>>>>> installation. (graylog 2.0) . Can you let me know the possible reasons.
>>>>>>> >
>>>>>>> >
>>>>>>> > Firewall on graylog server or client machine?
>>>>>>> >
>>>>>>> >
>>>>>>> >
>>>>>>> > Thank you
>>>>>>> >
>>>>>>> >
>>>>>>> > On Monday, August 15, 2016 at 3:44:35 PM UTC-7, Jason Warnes wrote:
>>>>>>> >>
>>>>>>> >> It might be a firewall on your graylog server. Without knowing
>>>>>>> what method you used to install the graylog server it's hard to know
>>>>>>> for
>>>>>>> sure.
>>>>>>> >>
>>>>>>> >>
>>>>>>> >> On Monday, August 15, 2016 at 12:46:02 AM UTC-6, sam wrote:
>>>>>>> >>>
>>>>>>> >>> Hi All,
>>>>>>> >>>
>>>>>>> >>> I am trying to send syslog messages into my graylog server. I
>>>>>>> configured the ip address in /etc/rsyslog.conf file, I have issues in
>>>>>>> getting the logs to my graylog server.
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> Can anyone of you help me from this please..!
>>>>>>> >>>
>>>>>>> >>> /etc/rsyslog.conf/
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> *.* @graylog.ip.address:5140
>>>>>>> >>>
>>>>>>> >>> This settings are configured in client server,
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> Input configure in graylog server is :
>>>>>>> >>> bind address : 0.0.0.0
>>>>>>> >>> port : 5140
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>>
>>>>>>> >>> Thank you
>>>>>>> >>> Sam
>>>>>>> >>>
>>>>>>> > --
>>>>>>> > You received this message because you are subscribed to the Google
>>>>>>> Groups "Graylog Users" group.
>>>>>>> > To unsubscribe from this group and stop receiving emails from it,
>>>>>>> send an email to [email protected].
>>>>>>> > To view this discussion on the web visit
>>>>>>> https://groups.google.com/d/msgid/graylog2/7447055d-cb6e-4ae0-bd7b-9fb4aadad414%40googlegroups.com
>>>>>>> .
>>>>>>> >
>>>>>>> > For more options, visit https://groups.google.com/d/optout.
>>>>>>>
>>>>>> --
>>>>>> You received this message because you are subscribed to the Google
>>>>>> Groups "Graylog Users" group.
>>>>>> To unsubscribe from this group and stop receiving emails from it,
>>>>>> send an email to [email protected].
>>>>>> To view this discussion on the web visit
>>>>>> https://groups.google.com/d/msgid/graylog2/39594c4d-9b76-4c11-8d53-83fed2c02a4e%40googlegroups.com
>>>>>>
>>>>>> <https://groups.google.com/d/msgid/graylog2/39594c4d-9b76-4c11-8d53-83fed2c02a4e%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>>>> .
>>>>>> For more options, visit https://groups.google.com/d/optout.
>>>>>>
>>>>> --
>>>> You received this message because you are subscribed to the Google
>>>> Groups "Graylog Users" group.
>>>> To unsubscribe from this group and stop receiving emails from it, send
>>>> an email to [email protected].
>>>> To view this discussion on the web visit
>>>> https://groups.google.com/d/msgid/graylog2/dcb967d3-8968-40b1-9a06-3ba4b6e323e3%40googlegroups.com
>>>>
>>>> <https://groups.google.com/d/msgid/graylog2/dcb967d3-8968-40b1-9a06-3ba4b6e323e3%40googlegroups.com?utm_medium=email&utm_source=footer>
>>>> .
>>>> For more options, visit https://groups.google.com/d/optout.
>>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/graylog2/de97955d-7c7d-4eac-8364-03d7c06fc042%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/graylog2/de97955d-7c7d-4eac-8364-03d7c06fc042%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/aaee66d9-c5d4-4955-bf64-9020858f065a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
