Hi, please try using a Raw/Plaintext UDP input instead of the Syslog input and check the incoming messages.
Cheers, Jochen On Tuesday, 22 November 2016 13:40:23 UTC+1, SancheZZS wrote: > > Hi all! > I have the issue with inputs and Snort syslog stream. > > Stream of syslog generated by > > $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% > %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% > %STRUCTURED-DATA% %msg%\n" > local5.alert @10.8.1.74:50515;GRAYLOGRFC5424 > > > tpcdump show all packets on graylog server > > # tcpdump -ni ens3 port 50515 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes > 15:33:57.322608 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 227 > 15:33:57.355921 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240 > 15:33:57.591771 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240 > 15:33:57.599199 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 241 > 15:33:57.708689 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240 > 15:33:58.202035 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240 > > > But graylog not show a messages > > Snort Eth3 (Syslog UDP) > > override_source: > recv_buffer_size: 524288 > allow_override_date: true > bind_address: 0.0.0.0 > port: 50515 > store_full_message: true > > Throughput / Metrics > 1 minute average rate: 0 msg/s > Network IO: 0B 0B (total: 0B 0B ) > > I tried some graylog versions (1.2.2, 2.0.x , 2.1.x) > > What am I missing? Any and all suggestions are welcome. > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c37f7ec8-68d8-4db1-812d-d9ea3d278d6a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
