I'm really struggling to figure out why I can't log a few messages into
Graylog 1.3.3-1. I've got several NetApp systems running OnTap 8.3.1
cluster mode and I'm trying to send the command audit log over:
cluster log-forwarding create -destination graylog-server.site.com -port
514 -facility user
>From some clusters it works fine and from some I can't seem to get messages
to show up in Graylog. I've tried a different input (always Basic Syslog
UDP) with different ports, 514 or 5140. The messages always seem to get to
the Graylog server as I can see them come in with tcpdump but they never
show. I can't find any errors when I run Graylog in debug mode but I'm not
sure how I can trace what looks like a guid back to the specific message.
I should also point out that other messages from the same storage array
make it in although I'm not sure if it's all of them.
Here's an example tcpdump on the graylog server from a system that works
fine:
21:56:36.401789 IP 10.6.17.104.20591 > 10.12.8.175.514: SYSLOG user.info,
length: 189
0x0000: 4500 00d9 9769 0000 3711 bddb 0a0a 110b E....i..7.......
0x0010: 0a0c 08af 506f 0202 00c5 237b 3c31 343e ....Po....#{<14>
0x0020: 4665 6220 3138 2032 313a 3536 3a33 3620 Feb.18.21:56:36.
0x0030: 6561 632d 6e6f 6465 313a 2030 3030 3030 eac-node1:.00000
0x0040: 3430 662e 3031 3839 6566 6661 2030 3634 40f.0189effa.064
0x0050: 6230 6138 3320 5468 7520 4665 6220 3138 b0a83.Thu.Feb.18
0x0060: 2032 3031 3620 3231 3a35 363a 3335 202d .2016.21:56:35.-
0x0070: 3038 3a30 3020 5b6b 6572 6e5f 636f 6d6d 08:00.[kern_comm
0x0080: 616e 642d 6869 7374 6f72 793a 696e 666f and-history:info
0x0090: 3a39 3431 5d20 7373 6820 3a3a 2031 302e :941].ssh.::.10.
0x00a0: 3130 2e31 3234 2e31 3230 203a 3a20 6561 10.124.120.::.ea
0x00b0: 6361 6e61 6461 5c6d 656e 676c 616e 642d canada\mengland-
0x00c0: 3220 3a3a 2073 6574 2064 6961 6720 3a3a 1.::.set.diag.::
0x00d0: 2053 7563 6365 7373 0a .Success.
And here's one that fails, also a tcpdump from the graylog server.
21:57:06.564164 IP 10.8.12.180.32275 > 10.12.8.175.514: SYSLOG user.info,
length: 189
0x0000: 4500 00d9 4722 0000 3911 1064 0a0b 0cc9 E...G"..9..d....
0x0010: 0a0c 08af 7e13 0202 00c5 9742 3c31 343e ....~......B<14>
0x0020: 4665 6220 3139 2030 303a 3537 3a30 3620 Feb.19.00:57:06.
0x0030: 6561 6d2d 6e6f 6465 323a 2030 3030 3030 eam-node2:.00000
0x0040: 3031 382e 3030 3731 3663 6634 2030 3635 018.00716cf4.065
0x0050: 3639 3938 6420 4672 6920 4665 6220 3139 6998d.Fri.Feb.19
0x0060: 2032 3031 3620 3030 3a35 373a 3035 202d .2016.00:57:05.-
0x0070: 3035 3a30 3020 5b6b 6572 6e5f 636f 6d6d 05:00.[kern_comm
0x0080: 616e 642d 6869 7374 6f72 793a 696e 666f and-history:info
0x0090: 3a39 3031 5d20 7373 6820 3a3a 2031 302e :901].ssh.::.10.
0x00a0: 3130 2e31 3234 2e31 3230 203a 3a20 6561 10.124.120.::.ea
0x00b0: 6361 6e61 6461 5c6d 656e 676c 616e 642d canada\mengland-
0x00c0: 3220 3a3a 2073 6574 2064 6961 6720 3a3a 1.::.set.diag.::
0x00d0: 2053 7563 6365 7373 0a .Success.
Anyone with ideas?
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/15275728-ef80-495e-a9ed-1995c62dddd6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
