tcpdump 14:44:05.575124 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 202 14:44:05.582626 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 204 14:44:05.583660 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 223 14:44:05.586082 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 223 14:44:05.587927 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 223 14:44:05.593236 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 241 14:44:05.602430 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 244 14:44:05.614467 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 242 14:44:05.614555 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 244 14:44:05.626040 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 223 14:44:05.627294 IP 10.11.108.251.58849 > 10.8.1.74.50516: UDP, length 203
среда, 23 ноября 2016 г., 14:48:20 UTC+3 пользователь SancheZZS написал: > > > No messages. > > TEst2 Raw/Plaintext UDP 1 RUNNING > > - bind_address: > 0.0.0.0 > - override_source: > *<empty>* > - port: > 50516 > - recv_buffer_size: > 262144 > > Throughput / Metrics1 minute average rate: 0 msg/s > Network IO: 0B 0B (total: 0B 0B ) > Empty messages discarded: 0 > > Network IO: 0B 0B (total: 0B 0B ) > Empty messages discarded: 0 > > > > вторник, 22 ноября 2016 г., 17:01:18 UTC+3 пользователь Jochen Schalanda > написал: >> >> Hi, >> >> please try using a Raw/Plaintext UDP input instead of the Syslog input >> and check the incoming messages. >> >> Cheers, >> Jochen >> >> On Tuesday, 22 November 2016 13:40:23 UTC+1, SancheZZS wrote: >>> >>> Hi all! >>> I have the issue with inputs and Snort syslog stream. >>> >>> Stream of syslog generated by >>> >>> $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% >>> %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% >>> %STRUCTURED-DATA% %msg%\n" >>> local5.alert @10.8.1.74:50515;GRAYLOGRFC5424 >>> >>> >>> tpcdump show all packets on graylog server >>> >>> # tcpdump -ni ens3 port 50515 >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> listening on ens3, link-type EN10MB (Ethernet), capture size 262144 bytes >>> 15:33:57.322608 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 227 >>> 15:33:57.355921 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240 >>> 15:33:57.591771 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240 >>> 15:33:57.599199 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 241 >>> 15:33:57.708689 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240 >>> 15:33:58.202035 IP 10.11.108.251.39605 > 10.8.1.74.50515: UDP, length 240 >>> >>> >>> But graylog not show a messages >>> >>> Snort Eth3 (Syslog UDP) >>> >>> override_source: >>> recv_buffer_size: 524288 >>> allow_override_date: true >>> bind_address: 0.0.0.0 >>> port: 50515 >>> store_full_message: true >>> >>> Throughput / Metrics >>> 1 minute average rate: 0 msg/s >>> Network IO: 0B 0B (total: 0B 0B ) >>> >>> I tried some graylog versions (1.2.2, 2.0.x , 2.1.x) >>> >>> What am I missing? Any and all suggestions are welcome. >>> >>> >>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/76ee7149-b9d4-4cda-848c-fcf779c8be04%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
