Hi all!
I have the issue with inputs and Snort syslog stream.
Stream of syslog generated by
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION%
%TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
%STRUCTURED-DATA% %msg%\n"
local5.alert @10.8.1.74:50515;GRAYLOGRFC5424
tpcdump show all packets on graylog server
# tcpdump -ni ens3 port 50515
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes
15:33:57.322608 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 227
15:33:57.355921 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240
15:33:57.591771 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240
15:33:57.599199 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 241
15:33:57.708689 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240
15:33:58.202035 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240
But graylog not show a messages
Snort Eth3 (Syslog UDP)
override_source:
recv_buffer_size: 524288
allow_override_date: true
bind_address: 0.0.0.0
port: 50515
store_full_message: true
Throughput / Metrics
1 minute average rate: 0 msg/s
Network IO: 0B 0B (total: 0B 0B )
I tried some graylog versions (1.2.2, 2.0.x , 2.1.x)
What am I missing? Any and all suggestions are welcome.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/897dc4a4-6c9f-49b3-bcf6-d2dc6864eb32%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
