Hi, I took a look at your debug bundle. As far as I see the pcap file, tcp communication happens, but it's not graylog's "protocol", it's the legacy rfc3164. Unless graylog expecting legacy protocol, that's not correct. Then I spotted this: "Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-12 14:59-kor:
destination d_graylog { tcp("hostname of Graylog server" port (12201) ); };
This configures a legacy tcp destination. It won't format the messages for gelf. At least in case of graylog, the best choice for protocol would be gelf. The correct configuration for gelf destination would be: destination d_graylog { graylog2( host("hostname of Graylog server") ); }; Or if you want something more detailed or specific stuff, then you can use this: destination d_graylog { network( "hostname of Graylog server" port(12201) transport(tcp) template("$(format-json --scope all-nv-pairs)\n") ); }; Of course, if gelf destination expects zero terminated strings, than you can replace the \n to \0 at the end of the template string. Regards, Gyu