Remote syslog not working

[dmayan]

Hi Pavel,

I have enabled logging:remote_syslog_logging so I can get notifications via my Graylog installation.

logging:local_syslog_logging = off

logging:remote_syslog_logging = on

logging:remote_syslog_server = 172.16.2.131
logging:remote_syslog_port = 5514

The Graylog server is working correctly as I'm collecting all my network logs there.

What could be the problem? Running on Debian 8.6 VM. Graylog is the same.

Thanks, Diego

[pavel-odintsov]

Hello!

Could you share your /var/log/fastnetmon.log?

[dmayan]

Sure!! Here it is. Also I noticed a lot of info of attacks withot details?

fastnetmon.zip

[pavel-odintsov]

Hello!

According to logs it was configured correctly:

     5 2017-03-26 17:18:19,679 [INFO] We have configured remote syslog logging corectly
     6 2017-03-26 17:18:19,679 [INFO] We will read ban settings for my_hosts
     7 2017-03-26 17:18:19,679 [ERROR] We can't find notify script /usr/local/bin/notify_about_attack.sh
     8 2017-03-26 17:18:19,685 [INFO] Read configuration file
     9 2017-03-26 17:18:19,685 [INFO] We start remote syslog logging corectly

Could you check it with tcpdump in source / target machine?

[dmayan]

I tried sending with logger and it worked ok, so I discard a network problem.

I will capture with TCP dump and see if there is another problem.

thanks

[pavel-odintsov]

It should be udp. I do not think that we support tcp.

[dmayan]

Sorry, tcpdump. It is UDP port 5514

[dmayan]

This a tcpdump in the receiving side. I don't see anything anormal, but Graylog doesn't show anything.

fnm.capture.cap.zip

[dmayan]

Pavel,

Setting a RAW UDP input in Graylog solved the problem. Now Graylog is receiving the logs ok. I was using Syslog UDP input.

Let me know if you need something more.

Thanks

[pavel-odintsov]

Perfect!