Hi,
I post a message from *ecloudbizsolns <https://github.com/ecloudbizsolns>. See https://github.com/Graylog2/graylog2-server/issues/2649* I have the same problem an nobody to gi *ve a solution. I think I m alone in this case.* Graylog is not receiving syslog messages from remote subnets *on an other interface than eth0*. If NAT is implemented then it works. However this loses the source IP. This could be by design, but I am unable to locate any documentation referring to accepting (or not accepting) syslog messages from remote subnets. *Background Info* Devices on other subnets send syslog messages, they are received at Graylog (tcpdump confirms this), but never make it into the store. If the firewall NAT's those same packets to have the log subnet source IP, then it works flawlessly. Other than the real source IP has now been irretrievably lost. *Expected Behavior* Log messages from remote subnets should be processed or a clear, concise and obvious error should be generated. *Current Behavior* Log messages from remote subnets are *silently* discarded unless NAT'd to appear to be from the same subnet. *Possible Solution* NAT'ing the remote subnet to the Graylog subnet allows the messages to be received, however the source IP is lost forever. *Steps to Reproduce (for bugs)* Send any syslog message from a remote subnet under an other interface than eth0 - it will not be received. NAT that same traffic and it works. *Context* Want to accept logs from devices on subnets other than the subnet to which Graylog is directly connected. *My Environment* Current 2.0.3 VM on VirtualBox, imported from OVA *2 NIC's*: one for mgmt, one for receiving logs (dedicated logging subnet) Time is synchronised correctly across all devices Firewall and NAS appliances have connectivity to log subnet and logs are received correctly. - Graylog Version: Out of the box 2.1.0 OVA - Elasticsearch Version: Out of the box 2.1.0 OVA - MongoDB Version: Out of the box 2.1.0 OVA tcpdumps tcpdump -ni eth1 -Xvvvs0 port 514 Note: 10.10.30.253 is a wifi AP, 10.10.70.25 is graylog server This message is not ingested by Graylog: 11:00:17.674727 IP (tos 0x0, ttl 63, id 35326, offset 0, flags [DF], proto UDP (17), length 97) 10.10.30.253.2052 > 10.10.70.25.514: [udp sum ok] SYSLOG, length: 69 Facility user (1), Severity info (6) Msg: Aug 10 11:00:22 syslog: klogd : klog daemon successfully started\0x0a 0x0000: 3c31 343e 4175 6720 3130 2031 313a 3030 0x0010: 3a32 3220 7379 736c 6f67 3a20 6b6c 6f67 0x0020: 6420 3a20 6b6c 6f67 2064 6165 6d6f 6e20 0x0030: 7375 6363 6573 7366 756c 6c79 2073 7461 0x0040: 7274 6564 0a 0x0000: 4500 0061 89fe 4000 3f11 3864 0a0a 1efd E..a..@.?.8d.... 0x0010: 0a0a 4619 0804 0202 004d fa0b 3c31 343e ..F......M..<14> 0x0020: 4175 6720 3130 2031 313a 3030 3a32 3220 Aug.10.11:00:22. 0x0030: 7379 736c 6f67 3a20 6b6c 6f67 6420 3a20 syslog:.klogd.:. 0x0040: 6b6c 6f67 2064 6165 6d6f 6e20 7375 6363 klog.daemon.succ 0x0050: 6573 7366 756c 6c79 2073 7461 7274 6564 essfully.started 0x0060: 0a . Yet, this one is received once the packet has been NAT'd to the log subnet (10.10.70.x/24): 11:02:39.217112 IP (tos 0x0, ttl 63, id 55700, offset 0, flags [DF], proto UDP (17), length 101) 10.10.70.1.2052 > 10.10.70.25.514: [udp sum ok] SYSLOG, length: 73 Facility user (1), Severity info (6) Msg: Aug 10 11:02:44 syslog: syslogd : syslog daemon successfully stopped\0x0a 0x0000: 3c31 343e 4175 6720 3130 2031 313a 3032 0x0010: 3a34 3420 7379 736c 6f67 3a20 7379 736c 0x0020: 6f67 6420 3a20 7379 736c 6f67 2064 6165 0x0030: 6d6f 6e20 7375 6363 6573 7366 756c 6c79 0x0040: 2073 746f 7070 6564 0a 0x0000: 4500 0065 d994 4000 3f11 c1c5 0a0a 4601 E..e..@.?.....F. 0x0010: 0a0a 4619 0804 0202 0051 dbfe 3c31 343e ..F......Q..<14> 0x0020: 4175 6720 3130 2031 313a 3032 3a34 3420 Aug.10.11:02:44. 0x0030: 7379 736c 6f67 3a20 7379 736c 6f67 6420 syslog:.syslogd. 0x0040: 3a20 7379 736c 6f67 2064 6165 6d6f 6e20 :.syslog.daemon. 0x0050: 7375 6363 6573 7366 756c 6c79 2073 746f successfully.sto 0x0060: 7070 6564 0a pped. If I remove the NAT rule at the firewall then it stops ingesting again. (Note: the firewall is passing the traffic whether NAT'd or not. The only difference is that the NAT'd messages are ingested by Graylog and the non-NAT'd messages are not). Tested from my workstation using logger -n.... has an identical result: No NAT results in no message being logged, but once NAT is enabled then it works and graylog accepts and processes the message. iptables is not configured on graylog: iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination EDIT - Additional info may be related: As I have a dedicated logging subnet, there is no reason for any device in that subnet to send anything out to any other subnet (ie: this logging subnet is UDP inbound only). To enforce this requirement, the graylog server has no gateway configured on the log subnet, since, there is no valid reason for it to send anything, ever. Might this be the cause? It does of course have a gateway on the mgmt interface which is of course in another subnet (that differs from both the logging and wifi subnets) I am open to any ideas that might help resolve this. I know from prior experience that BSD syslog requires an additional parameter (-a) to accept messages from external subnets, so I assume there may be a similar toggle somewhere in Graylog, but alas I have been unsuccessful in finding it. If I can provide any other info please do not hesitate to ask. Regards, Thomas & *ecloudbizsolns <https://github.com/ecloudbizsolns>* -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/5304eedc-01d9-4490-ac7f-f400b6c184f5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
