Hi Sam, why would you try to send syslog messages directly into Elasticsearch on port 9300, 9350, or 9200?
You have to create a syslog input in Graylog and send data there, see https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md for details. Cheers, Jochen On Tuesday, 16 August 2016 21:36:07 UTC+2, sam wrote: > > Ha, > > > Now i did defined a port in /etc//rsyslog.conf as > > *.* @@162.20.100.27:9300 > > > > and my graylog server input as syslog_TCP with port 9300 and bind address: > 162.20.100.27 > > > My log is clear : > > > 2016-08-16T15:17:13.831-04:00 WARN [NettyTransport] receiveBufferSize > (SO_RCVBUF) for input SyslogTCPInput{title=!0.12.100.15, > type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=null} should be > 1048576 but is 212992. > 2016-08-16T15:17:13.842-04:00 INFO [InputStateListener] Input [Syslog > TCP/57b36663eb183f7ccc9de01a] is now RUNNING > > > > > > As per my knowledge : > > We can configure 514 port in syslog and same port as input in graylog > input right? > > > > > Thank you > > On Tuesday, August 16, 2016 at 12:10:09 PM UTC-7, Ha NN wrote: >> >> Hi Sam, >> >> you cannot capture anything if nothing is listening on that port. I guess >> there is something wrong with your graylog input config. Mby you should >> have a look into the graylog log. >> >> Am 16.08.2016 9:04 nachm. schrieb "sam" <[email protected]>: >> >>> Hi Ha, >>> >>> >>> below is the log fro tcpdumb >>> >>> tcpdump -i eth0 port 5140 >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes >>> >>> 0 packets captured >>> 1 packets received by filter >>> 0 packets dropped by kernel >>> >>> Thank you >>> >>> >>> On Tuesday, August 16, 2016 at 11:57:31 AM UTC-7, Ha NN wrote: >>>> >>>> Hi Sam, >>>> >>>> you can get your interface number with >>>> >>>> ifconfig -a >>>> >>>> you need the interface for the ip 162.20.100.27. Something like eth0, >>>> eth1. So the command should look like >>>> >>>> tcpdump -i eth0 port 5140 >>>> >>>> No you cannot use port 16001 because its in use. Mby you should double >>>> check your syslog input in graylog. >>>> >>>> Am 16.08.2016 8:44 nachm. schrieb "sam" <[email protected]>: >>>> >>>>> Hi Ha, >>>>> >>>>> I cant able to use this one : >>>>> >>>>> tcpdump -i ethX port 5140 where ; >>>>> >>>>> >>>>> tcpdump -i eth162.20.100.27 port 5140 (Can you please let me know >>>>> whether I am using the right one) >>>>> >>>>> >>>>> Can I use 16001 to configure syslog to receive the logs ??? >>>>> >>>>> Thank you Ha >>>>> >>>>> >>>>> >>>>> >>>>> On Tuesday, August 16, 2016 at 11:36:29 AM UTC-7, Ha NN wrote: >>>>>> >>>>>> Hi Sam, >>>>>> >>>>>> there is nothing on port 5140. >>>>>> >>>>>> Am 16.08.2016 8:21 nachm. schrieb "sam" <[email protected]>: >>>>>> >>>>>>> Hi Ha, >>>>>>> >>>>>>> below is the output for netstat -tulpen: where my graylog address >>>>>>> is : 162.20.100.27 >>>>>>> >>>>>>> Active Internet connections (only servers) >>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address >>>>>>> State User Inode PID/Program name >>>>>>> tcp 0 0 162.20.100.27:16001 0.0.0.0:* >>>>>>> LISTEN 0 14422 1311/python >>>>>>> tcp 0 0 127.0.0.1:27017 0.0.0.0:* >>>>>>> LISTEN 499 21667 2180/mongod >>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* >>>>>>> LISTEN 0 14409 1651/sshd >>>>>>> tcp 0 0 ::ffff:162.20.100.27:12900 :::* >>>>>>> LISTEN 497 570097 30968/java >>>>>>> tcp 0 0 ::ffff:127.0.0.1:9350 :::* >>>>>>> LISTEN 497 570036 30968/java >>>>>>> tcp 0 0 ::1:9350 :::* >>>>>>> LISTEN 497 570035 30968/java >>>>>>> tcp 0 0 ::ffff:162.20.100.27:9000 :::* >>>>>>> LISTEN 497 569340 30968/java >>>>>>> tcp 0 0 :::12201 :::* >>>>>>> LISTEN 497 610172 30968/java >>>>>>> tcp 0 0 ::ffff:127.0.0.1:9200 :::* >>>>>>> LISTEN 498 103819 25135/java >>>>>>> tcp 0 0 ::1:9200 :::* >>>>>>> LISTEN 498 103818 25135/java >>>>>>> tcp 0 0 ::ffff:127.0.0.1:9300 :::* >>>>>>> LISTEN 498 103168 25135/java >>>>>>> tcp 0 0 ::1:9300 :::* >>>>>>> LISTEN 498 103791 25135/java >>>>>>> tcp 0 0 :::22 :::* >>>>>>> LISTEN 0 14411 1651/sshd >>>>>>> udp 0 0 0.0.0.0:68 0.0.0.0:* >>>>>>> 0 13290 1594/dhclient >>>>>>> udp 0 0 162.20.100.27:123 0.0.0.0:* >>>>>>> 0 30140 2804/ntpd >>>>>>> udp 0 0 127.0.0.1:123 0.0.0.0:* >>>>>>> 0 30139 2804/ntpd >>>>>>> udp 0 0 0.0.0.0:123 0.0.0.0:* >>>>>>> 0 30132 2804/ntpd >>>>>>> udp 0 0 :::12201 :::* >>>>>>> 497 611311 30968/java >>>>>>> udp 0 0 fe80::20d:3aff:fe01:162b:123 :::* >>>>>>> 0 30142 2804/ntpd >>>>>>> udp 0 0 ::1:123 :::* >>>>>>> 0 30141 2804/ntpd >>>>>>> udp 0 0 :::123 :::* >>>>>>> 0 30133 2804/ntpd >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, August 15, 2016 at 11:14:42 PM UTC-7, Ha NN wrote: >>>>>>>> >>>>>>>> Hi Sam >>>>>>>> >>>>>>>> please make sure that graylog is listening on the right port. >>>>>>>> >>>>>>>> give us the output for >>>>>>>> >>>>>>>> netstat -tulpen >>>>>>>> >>>>>>>> Please make sure that you are sending data on that port with >>>>>>>> >>>>>>>> tcpdump -i ethX port 5140 >>>>>>>> >>>>>>>> Replace the x with your interface. >>>>>>>> >>>>>>>> Am 16.08.2016 6:53 vorm. schrieb "sam" <[email protected]>: >>>>>>>> > >>>>>>>> > Hi Jason, >>>>>>>> > >>>>>>>> > >>>>>>>> > Graylog is installed in linux server. I used rpm package for >>>>>>>> installation. (graylog 2.0) . Can you let me know the possible >>>>>>>> reasons. >>>>>>>> > >>>>>>>> > >>>>>>>> > Firewall on graylog server or client machine? >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Thank you >>>>>>>> > >>>>>>>> > >>>>>>>> > On Monday, August 15, 2016 at 3:44:35 PM UTC-7, Jason Warnes >>>>>>>> wrote: >>>>>>>> >> >>>>>>>> >> It might be a firewall on your graylog server. Without knowing >>>>>>>> what method you used to install the graylog server it's hard to know >>>>>>>> for >>>>>>>> sure. >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> On Monday, August 15, 2016 at 12:46:02 AM UTC-6, sam wrote: >>>>>>>> >>> >>>>>>>> >>> Hi All, >>>>>>>> >>> >>>>>>>> >>> I am trying to send syslog messages into my graylog server. I >>>>>>>> configured the ip address in /etc/rsyslog.conf file, I have issues in >>>>>>>> getting the logs to my graylog server. >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> Can anyone of you help me from this please..! >>>>>>>> >>> >>>>>>>> >>> /etc/rsyslog.conf/ >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> *.* @graylog.ip.address:5140 >>>>>>>> >>> >>>>>>>> >>> This settings are configured in client server, >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> Input configure in graylog server is : >>>>>>>> >>> bind address : 0.0.0.0 >>>>>>>> >>> port : 5140 >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> Thank you >>>>>>>> >>> Sam >>>>>>>> >>> >>>>>>>> > -- >>>>>>>> > You received this message because you are subscribed to the >>>>>>>> Google Groups "Graylog Users" group. >>>>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to [email protected]. >>>>>>>> > To view this discussion on the web visit >>>>>>>> https://groups.google.com/d/msgid/graylog2/7447055d-cb6e-4ae0-bd7b-9fb4aadad414%40googlegroups.com >>>>>>>> . >>>>>>>> > >>>>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Graylog Users" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/graylog2/39594c4d-9b76-4c11-8d53-83fed2c02a4e%40googlegroups.com >>>>>>> >>>>>>> <https://groups.google.com/d/msgid/graylog2/39594c4d-9b76-4c11-8d53-83fed2c02a4e%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Graylog Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/graylog2/dcb967d3-8968-40b1-9a06-3ba4b6e323e3%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/graylog2/dcb967d3-8968-40b1-9a06-3ba4b6e323e3%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Graylog Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/graylog2/de97955d-7c7d-4eac-8364-03d7c06fc042%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/graylog2/de97955d-7c7d-4eac-8364-03d7c06fc042%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/a6967fe0-92b1-4624-927a-5114f5e11c6f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
