Hello,
I've recently set up a working Graylog server. It's collecting logs from
many network switches and routers. One particular router (ironically, the
most important one) doesn't appear in the Sources list though. Graylog
keeps ignoring all packets coming from that host. Here's an example of a
packet which is *not* ignored by Graylog:
19:12:15.705167 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (
17), length 115)
10.50.255.44.40810 > Silenoz.syslog: [udp sum ok] [|syslog]
0x0000: 4500 0073 0000 4000 4011 27e3 0a32 ff2c E..s..@.@.'..2.,
0x0010: 0a32 ff06 9f6a 0202 005f 01d1 6468 6370 .2...j..._..dhcp
0x0020: 2c77 6172 6e69 6e67 2067 706f 6e2d 6d6e ,warning.gpon-mn
0x0030: 6720 6f66 6665 7269 6e67 206c 6561 7365 g.offering.lease
0x0040: 2031 302e 3530 2e32 3338 2e33 3520 666f .10.50.238.35.fo
0x0050: 7220 3030 3a30 323a 3731 3a35 413a 3036 r.00:02:71:5A:06
0x0060: 3a42 3820 7769 7468 6f75 7420 7375 6363 :B8.without.succ
0x0070: 6573 73
And below you can see a packet which *is* ignored by Graylog:
10.50.255.111.56993 > Silenoz.syslog: [udp sum ok] SYSLOG, length: 154
Facility local7 (23), Severity notice (5)
Msg: Feb 8 19:12:17: %SYSLOG-5-NOTICE: aaad: SubSessionAUTHFAIL user:
pppoe16344@mn (24) Authentication failure [Circuit handle: 1/4:511:63:31/6/2
/47661]\0x0a
0x0000: 3c31 3839 3e46 6562 2038 2031 393a 3132
0x0010: 3a31 373a 2025 5359 534c 4f47 2d35 2d4e
0x0020: 4f54 4943 453a 2061 6161 643a 2053 7562
0x0030: 5365 7373 696f 6e41 5554 4846 4149 4c20
0x0040: 7573 6572 3a20 7070 706f 6531 3633 3434
0x0050: 406d 6e20 2832 3429 2041 7574 6865 6e74
0x0060: 6963 6174 696f 6e20 6661 696c 7572 6520
0x0070: 5b43 6972 6375 6974 2068 616e 646c 653a
0x0080: 2031 2f34 3a35 3131 3a36 333a 3331 2f36
0x0090: 2f32 2f34 3736 3631 5d0a
0x0000: 4500 00b6 77da 0000 4011 ef82 0a32 ff6f E...w...@....2.o
0x0010: 0a32 ff06 dea1 0202 00a2 28d8 3c31 3839 .2........(.<189
0x0020: 3e46 6562 2038 2031 393a 3132 3a31 373a >Feb.8.19:12:17:
0x0030: 2025 5359 534c 4f47 2d35 2d4e 4f54 4943 .%SYSLOG-5-NOTIC
0x0040: 453a 2061 6161 643a 2053 7562 5365 7373 E:.aaad:.SubSess
0x0050: 696f 6e41 5554 4846 4149 4c20 7573 6572 ionAUTHFAIL.user
0x0060: 3a20 7070 706f 6531 3633 3434 406d 6e20 :.pppoe16344@mn.
0x0070: 2832 3429 2041 7574 6865 6e74 6963 6174 (24).Authenticat
0x0080: 696f 6e20 6661 696c 7572 6520 5b43 6972 ion.failure.[Cir
0x0090: 6375 6974 2068 616e 646c 653a 2031 2f34 cuit.handle:.1/4
0x00a0: 3a35 3131 3a36 333a 3331 2f36 2f32 2f34 :511:63:31/6/2/4
0x00b0: 3736 3631 5d0a 7661].
As you can see, the packet is much longer, but it doesn't exceed the
maximum UDP packet size that can be processed by Graylog (8192). My guess
is that logs coming from 10.50.255.111 are not RFC compatible and thus
they're discarded by Graylog. How can I debug it / fix it? I didn't find
any related messages in the Elasticsearch log (there were no errors related
to parsing a message).
I deleted the default Input object and added a new RAW UDP Input object. It
didn't fix the issue - logs from 10.50.255.111 are still not parsed.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/bdf5da44-6854-4f54-b99c-421f5febe76f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
