Hi,

"Rodney Bizzell" <hardworker30@gmail.com> írta 2018-11-07 15:14-kor:
> I can try that but I echoed a message from the syslog server to the graylog
> server and that worked

What this exactly means that you "echoed" a message?
echo -ne '{some json formatted graylog message}\0' | nc graylog.server 12201
?

Can you please share the details?
It's really hard to guess what you exactly thought of. And I don't have my
magic crystal sphere with me to have a more reliable guess.

Have you run a tcpdump to check communication between syslog-ng and
graylog? Could you please share the pcap file?

You only shared the debug messages of the syslog-ng initialization.
But we haven't seen in your other mail what the debug mode says if you send
in a message which should end up on the graylog server.
Well, this is what debug mode is for: to debug situations like this.

At this point it could be also useful, if this test system doesn't contain
any sensitive information, to start a debug bundle run, and share the
result:
When your config is ready, etc. just use these parameters for the debun
command:
syslog-ng-debun -d -P 'port 12201'

It will stop system's syslog-ng service, and restart that in debug mode and
collect the data, and will wait for your input when to stop data collecting.
So, while it runs in debug mode, on a second terminal please try to send a
log message, what destined to reach the graylog server.
Wait a couple of seconds.
Then hit the enter on the first terminal where the data collection is
running.
It will pack the collected data into a tarball, and notify you where is the
resulting file. Then please share that file with us.

I think that is the most straightforward way to solve this mistery.

Regards,
Gyu
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq