Hi Sam, dont take ports which are already in use. Your netstat output shows that 9300 is in use. 5140 was a good choice. You should investigate why the graylog input does not listen on that port.
Am 16.08.2016 9:36 nachm. schrieb "sam" <mrpleo...@gmail.com>: > Ha, > > > Now i did defined a port in /etc//rsyslog.conf as > > *.* @@162.20.100.27:9300 > > > > and my graylog server input as syslog_TCP with port 9300 and bind address: > 162.20.100.27 > > > My log is clear : > > > 2016-08-16T15:17:13.831-04:00 WARN [NettyTransport] receiveBufferSize > (SO_RCVBUF) for input SyslogTCPInput{title=!0.12.100.15, > type=org.graylog2.inputs.syslog.tcp.SyslogTCPInput, nodeId=null} should > be 1048576 but is 212992. > 2016-08-16T15:17:13.842-04:00 INFO [InputStateListener] Input [Syslog > TCP/57b36663eb183f7ccc9de01a] is now RUNNING > > > > > > As per my knowledge : > > We can configure 514 port in syslog and same port as input in graylog > input right? > > > > > Thank you > > On Tuesday, August 16, 2016 at 12:10:09 PM UTC-7, Ha NN wrote: >> >> Hi Sam, >> >> you cannot capture anything if nothing is listening on that port. I guess >> there is something wrong with your graylog input config. Mby you should >> have a look into the graylog log. >> >> Am 16.08.2016 9:04 nachm. schrieb "sam" <mrpl...@gmail.com>: >> >>> Hi Ha, >>> >>> >>> below is the log fro tcpdumb >>> >>> tcpdump -i eth0 port 5140 >>> tcpdump: verbose output suppressed, use -v or -vv for full protocol >>> decode >>> listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes >>> >>> 0 packets captured >>> 1 packets received by filter >>> 0 packets dropped by kernel >>> >>> Thank you >>> >>> >>> On Tuesday, August 16, 2016 at 11:57:31 AM UTC-7, Ha NN wrote: >>>> >>>> Hi Sam, >>>> >>>> you can get your interface number with >>>> >>>> ifconfig -a >>>> >>>> you need the interface for the ip 162.20.100.27. Something like eth0, >>>> eth1. So the command should look like >>>> >>>> tcpdump -i eth0 port 5140 >>>> >>>> No you cannot use port 16001 because its in use. Mby you should double >>>> check your syslog input in graylog. >>>> >>>> Am 16.08.2016 8:44 nachm. schrieb "sam" <mrpl...@gmail.com>: >>>> >>>>> Hi Ha, >>>>> >>>>> I cant able to use this one : >>>>> >>>>> tcpdump -i ethX port 5140 where ; >>>>> >>>>> >>>>> tcpdump -i eth162.20.100.27 port 5140 (Can you please let me know >>>>> whether I am using the right one) >>>>> >>>>> >>>>> Can I use 16001 to configure syslog to receive the logs ??? >>>>> >>>>> Thank you Ha >>>>> >>>>> >>>>> >>>>> >>>>> On Tuesday, August 16, 2016 at 11:36:29 AM UTC-7, Ha NN wrote: >>>>>> >>>>>> Hi Sam, >>>>>> >>>>>> there is nothing on port 5140. >>>>>> >>>>>> Am 16.08.2016 8:21 nachm. schrieb "sam" <mrpl...@gmail.com>: >>>>>> >>>>>>> Hi Ha, >>>>>>> >>>>>>> below is the output for netstat -tulpen: where my graylog address >>>>>>> is : 162.20.100.27 >>>>>>> >>>>>>> Active Internet connections (only servers) >>>>>>> Proto Recv-Q Send-Q Local Address Foreign Address >>>>>>> State User Inode PID/Program name >>>>>>> tcp 0 0 162.20.100.27:16001 0.0.0.0:* >>>>>>> LISTEN 0 14422 1311/python >>>>>>> tcp 0 0 127.0.0.1:27017 0.0.0.0:* >>>>>>> LISTEN 499 21667 2180/mongod >>>>>>> tcp 0 0 0.0.0.0:22 0.0.0.0:* >>>>>>> LISTEN 0 14409 1651/sshd >>>>>>> tcp 0 0 ::ffff:162.20.100.27:12900 :::* >>>>>>> LISTEN 497 570097 30968/java >>>>>>> tcp 0 0 ::ffff:127.0.0.1:9350 :::* >>>>>>> LISTEN 497 570036 30968/java >>>>>>> tcp 0 0 ::1:9350 :::* >>>>>>> LISTEN 497 570035 30968/java >>>>>>> tcp 0 0 ::ffff:162.20.100.27:9000 :::* >>>>>>> LISTEN 497 569340 30968/java >>>>>>> tcp 0 0 :::12201 :::* >>>>>>> LISTEN 497 610172 30968/java >>>>>>> tcp 0 0 ::ffff:127.0.0.1:9200 :::* >>>>>>> LISTEN 498 103819 25135/java >>>>>>> tcp 0 0 ::1:9200 :::* >>>>>>> LISTEN 498 103818 25135/java >>>>>>> tcp 0 0 ::ffff:127.0.0.1:9300 :::* >>>>>>> LISTEN 498 103168 25135/java >>>>>>> tcp 0 0 ::1:9300 :::* >>>>>>> LISTEN 498 103791 25135/java >>>>>>> tcp 0 0 :::22 :::* >>>>>>> LISTEN 0 14411 1651/sshd >>>>>>> udp 0 0 0.0.0.0:68 0.0.0.0:* >>>>>>> 0 13290 1594/dhclient >>>>>>> udp 0 0 162.20.100.27:123 0.0.0.0:* >>>>>>> 0 30140 2804/ntpd >>>>>>> udp 0 0 127.0.0.1:123 0.0.0.0:* >>>>>>> 0 30139 2804/ntpd >>>>>>> udp 0 0 0.0.0.0:123 0.0.0.0:* >>>>>>> 0 30132 2804/ntpd >>>>>>> udp 0 0 :::12201 :::* >>>>>>> 497 611311 30968/java >>>>>>> udp 0 0 fe80::20d:3aff:fe01:162b:123 :::* >>>>>>> 0 30142 2804/ntpd >>>>>>> udp 0 0 ::1:123 :::* >>>>>>> 0 30141 2804/ntpd >>>>>>> udp 0 0 :::123 :::* >>>>>>> 0 30133 2804/ntpd >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Monday, August 15, 2016 at 11:14:42 PM UTC-7, Ha NN wrote: >>>>>>>> >>>>>>>> Hi Sam >>>>>>>> >>>>>>>> please make sure that graylog is listening on the right port. >>>>>>>> >>>>>>>> give us the output for >>>>>>>> >>>>>>>> netstat -tulpen >>>>>>>> >>>>>>>> Please make sure that you are sending data on that port with >>>>>>>> >>>>>>>> tcpdump -i ethX port 5140 >>>>>>>> >>>>>>>> Replace the x with your interface. >>>>>>>> >>>>>>>> Am 16.08.2016 6:53 vorm. schrieb "sam" <mrpl...@gmail.com>: >>>>>>>> > >>>>>>>> > Hi Jason, >>>>>>>> > >>>>>>>> > >>>>>>>> > Graylog is installed in linux server. I used rpm package for >>>>>>>> installation. (graylog 2.0) . Can you let me know the possible reasons. >>>>>>>> > >>>>>>>> > >>>>>>>> > Firewall on graylog server or client machine? >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>>> > Thank you >>>>>>>> > >>>>>>>> > >>>>>>>> > On Monday, August 15, 2016 at 3:44:35 PM UTC-7, Jason Warnes >>>>>>>> wrote: >>>>>>>> >> >>>>>>>> >> It might be a firewall on your graylog server. Without knowing >>>>>>>> what method you used to install the graylog server it's hard to know >>>>>>>> for >>>>>>>> sure. >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> On Monday, August 15, 2016 at 12:46:02 AM UTC-6, sam wrote: >>>>>>>> >>> >>>>>>>> >>> Hi All, >>>>>>>> >>> >>>>>>>> >>> I am trying to send syslog messages into my graylog server. I >>>>>>>> configured the ip address in /etc/rsyslog.conf file, I have issues in >>>>>>>> getting the logs to my graylog server. >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> Can anyone of you help me from this please..! >>>>>>>> >>> >>>>>>>> >>> /etc/rsyslog.conf/ >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> *.* @graylog.ip.address:5140 >>>>>>>> >>> >>>>>>>> >>> This settings are configured in client server, >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> Input configure in graylog server is : >>>>>>>> >>> bind address : 0.0.0.0 >>>>>>>> >>> port : 5140 >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> >>>>>>>> >>> Thank you >>>>>>>> >>> Sam >>>>>>>> >>> >>>>>>>> > -- >>>>>>>> > You received this message because you are subscribed to the >>>>>>>> Google Groups "Graylog Users" group. >>>>>>>> > To unsubscribe from this group and stop receiving emails from it, >>>>>>>> send an email to graylog2+u...@googlegroups.com. >>>>>>>> > To view this discussion on the web visit >>>>>>>> https://groups.google.com/d/msgid/graylog2/7447055d-cb6e-4ae >>>>>>>> 0-bd7b-9fb4aadad414%40googlegroups.com. >>>>>>>> > >>>>>>>> > For more options, visit https://groups.google.com/d/optout. >>>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "Graylog Users" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to graylog2+u...@googlegroups.com. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/d/msgid/graylog2/39594c4d-9b76-4c1 >>>>>>> 1-8d53-83fed2c02a4e%40googlegroups.com >>>>>>> <https://groups.google.com/d/msgid/graylog2/39594c4d-9b76-4c11-8d53-83fed2c02a4e%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> For more options, visit https://groups.google.com/d/optout. >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "Graylog Users" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to graylog2+u...@googlegroups.com. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/graylog2/dcb967d3-8968-40b >>>>> 1-9a06-3ba4b6e323e3%40googlegroups.com >>>>> <https://groups.google.com/d/msgid/graylog2/dcb967d3-8968-40b1-9a06-3ba4b6e323e3%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> For more options, visit https://groups.google.com/d/optout. >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Graylog Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to graylog2+u...@googlegroups.com. >>> To view this discussion on the web visit https://groups.google.com/d/ms >>> gid/graylog2/de97955d-7c7d-4eac-8364-03d7c06fc042%40googlegroups.com >>> <https://groups.google.com/d/msgid/graylog2/de97955d-7c7d-4eac-8364-03d7c06fc042%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to graylog2+unsubscr...@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/graylog2/aaee66d9-c5d4-4955-bf64-9020858f065a%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/aaee66d9-c5d4-4955-bf64-9020858f065a%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CAEst0bPCYdCxKuyW1ZmmGuaGuWsuQKbpwc3xTAAXu40G175vCw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.