<div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">Dear Rodney,<div> I loaded your config into a freshly built syslog-ng OSE master. (And also tried to set up a graylog environment, more on that in the second point.)</div><div><br></div><div>1)</div><div>I replaced the graylog destination address with a localhost one.</div><div>I started a netcat instace with the following command: <b>nc -kl 127.0.0.1 12201</b></div><div>I started to send logs into syslog with lgger: <b>logger "hello world"</b></div><div><br></div><div>I have successfuly received the "hello world" message in RFC3164 format on the 12201 port wit netcat. So your config seems to be working.</div><div><br></div><div><br></div><div>2)</div><div>I have set up a graylog environment following the steps on this page: <a href="https://hub.docker.com/r/graylog/graylog/" target="_blank">https://hub.docker.com/r/graylog/graylog/</a> using docker-compose.</div><div>The started up graylog instance throws a tons of java exceptions and error messages. But I can reach it's WebUI interface.</div><div><div><div>Inside the interface (despite my attempts to find a solution online) I can not query any data, since there is an issue with the internal API communication:</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Could not load field information</blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Loading field information failed with status: cannot GET <a href="http://127.0.0.1:9000/api/system/fields" target="_blank">http://127.0.0.1:9000/api/system/fields</a> (500)</blockquote></blockquote><br class="m_3172025361828884797gmail-Apple-interchange-newline"></div><br class="m_3172025361828884797gmail-Apple-interchange-newline"></div><div>NOTE: At this point I did not take the effort to test out the GELF protocol (port 12201) so just used the old RFC3164 and the "Syslog TCP input" with the described settings.<br></div><div><br></div><div>I setted up a new "input" on the administration interface. Details:</div><div> - type: syslog TCP</div><div> - name: syslog</div><div> - bind address: 0.0.0.0 (left it on default)</div><div> - port: 514 (left it on default)</div><div> </div><div>With a "netstat" command I confirmed, it is listening on port 514 and I also changed the syslog-ng configuration to send the messages to this port.</div><div><br></div><div><br></div><div><div>Despite there is no way to query data, I have found a way to confirm that graylog server actually received the messages:</div></div><div>Under the <a href="http://127.0.0.1:9000/system/inputs" target="_blank">http://127.0.0.1:9000/system/inputs</a> menu item, on the right side of the inputs, there is a button "More actions". In the drop down list there is a menu item: "Show metrics" (I can not send you a direct link to this menu item because it contains the UUID of the selected input.)</div><div><br></div><div>On this page there are multiple keys to different metrics.</div><div>- Under the: <span style="box-sizing:border-box"><span class="m_3172025361828884797gmail-prefix" style="box-sizing:border-box;color:rgb(170,170,170)">org</span>.graylog2.inputs.syslog.tcp.SyslogTCPInput.<hexadecimal ID>.read_bytes_total</span></div><div><span style="box-sizing:border-box"> I can see the increasing number of read data.</span></div><div><span style="box-sizing:border-box"><br></span></div><div><span style="box-sizing:border-box">- Under the: org.graylog2.inputs.codecs.SyslogCodec.<hexadecimal ID>.processedMessages<br> I can see the processed messages, which were identical with the number of logger commands I executed.</span></div><div><br></div><div>Agaiin: logger -> syslog-ng -> inputs -> graylog<br></div><div>I got a clear flow of messages.</div><div><br></div><div><br></div><div>3)</div><div>To pull out syslog-ng from the picture I did one more step.</div><div>Stopped the syslog-ng service, and copied a well formatted RFC3164 message from the description of the protocol itself: <a href="https://tools.ietf.org/html/rfc3164#section-5.4" target="_blank">https://tools.ietf.org/html/rfc3164#section-5.4</a></div><div><br></div><div>I sent this message with netcat into the "Syslog TCP input", which also lead to increasing the metrics on the described page.</div><div><br></div><div><br></div><div><br></div><div><br></div><div>My final conclusion in the topic:</div><div><br></div><div>- I think your configuration is good. (There might be some other programs on your system which may conflict with the syslog-ng process, but I think nobody can tell it remotely.)</div><div><br></div><div>- I recommend you to check again the port numbers and the desired protocols. Syslog-ng by default uses the RFC3164 format on the network destination, but you set the port number to 12201. (Which indicates that you are trying to use the GELF format.)</div><div> I can not tell if it is wrong or not, because you can set any kind of inputs onto any desired port inside the graylog administration settings.</div><div><br></div><div>- Trying to narrow the problem scope, I recommend you the following "men in the middle" approach:</div><div>1) test syslog-ng with a localhost address, with the netcat application, as seen in my first paragraph. (This way you can also verify your syslog-ng configuration.)<br></div><div>2) try the same test with the original destination address. BUT stop the graylog service, and use netcat again to receive the logs. (This way you can verify your network setup.)</div><div>3) try to input data into graylog from localhost (on your graylog server) with netcat. I think this step is the most important. (This way you can verify if graylog is accepting data at all.)</div><div><br></div><div>If everything works flawlessly I think you are ready to put the whole thing together.</div><div>At this moment I think the community (Thank You, everybody, for your time!!!) can not do anymore to solve this problem remotely.</div><div><br></div><div><br></div><div>Best regards,</div><div>László Szemere</div><div><br></div></div></div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 19, 2018 at 10:39 PM Rodney Bizzell <<a href="mailto:hardworker30@gmail.com" target="_blank">hardworker30@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">So I made the changes to syslog-ng config for graylog destination configuration and started the debug mode again hopped on another terminal and ran logger command with a test message but I still see nothing getting into my graylog server. I am uploading the debug file again to see if there is something I am missing. On my graylog side. I have inputs setup Syslog I have Gelf input setup as well</div><br><div class="gmail_quote"><div dir="ltr">On Wed, Nov 14, 2018 at 1:31 PM PÁSZTOR György <<a href="mailto:pasztor@linux.gyakg.u-szeged.hu" target="_blank">pasztor@linux.gyakg.u-szeged.hu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I took a look at your debug bundle.<br>
<br>
As far as I see the pcap file, tcp communication happens, but it's not<br>
graylog's "protocol", it's the legacy rfc3164.<br>
Unless graylog expecting legacy protocol, that's not correct.<br>
Then I spotted this:<br>
<br>
"Rodney Bizzell" <<a href="mailto:hardworker30@gmail.com" target="_blank">hardworker30@gmail.com</a>> írta 2018-11-12 14:59-kor:<br>
> destination d_graylog {<br>
> tcp("hostname of Graylog server"<br>
> port (12201)<br>
> );<br>
> };<br>
<br>
This configures a legacy tcp destination. It won't format the messages for<br>
gelf.<br>
At least in case of graylog, the best choice for protocol would be gelf.<br>
The correct configuration for gelf destination would be:<br>
destination d_graylog {<br>
graylog2( host("hostname of Graylog server") );<br>
};<br>
<br>
Or if you want something more detailed or specific stuff, then you can use<br>
this:<br>
destination d_graylog {<br>
network(<br>
"hostname of Graylog server"<br>
port(12201)<br>
transport(tcp)<br>
template("$(format-json --scope all-nv-pairs)\n")<br>
);<br>
};<br>
<br>
Of course, if gelf destination expects zero terminated strings, than you<br>
can replace the \n to \0 at the end of the template string.<br>
<br>
Regards,<br>
Gyu<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>