Re: [graylog2] my first syslog input is failing

2017-01-22 Thread Jason Fuller 
Hi Jochen,

After swittching the receiver to 1514, and a reboot, the server is
receiving messages now.  However, when I change the user back to "graylog",
and restart, after about 1 minute, it crashes with 1000's of errors.
Swithing back to root fixes it.  I think I should reload the server and app.

Thanks for all your help!
Jason

On Sun, Jan 22, 2017 at 9:51 PM, Jason Fuller 
wrote:

> Hi Jochen,
>
> Understand about the security implications.  Thank you for pointing out ;)
>
> On the receipt issue, yes, I'm sure there is not a network issue, on the
> graylog server I'm receiving the packet.  It's just not showing up in
> Graylog:
>
> [root@server]# tcpdump -nnvvi ens32 port 514
> tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> 05:54:04.456723 IP (tos 0x0, ttl 64, id 8493, offset 0, flags [DF], proto
> UDP (17), length 127)
> 10.10.0.5.37136 > 10.10.0.64.514: [udp sum ok] SYSLOG, length: 99
> Facility user (1), Severity info (6)
> Msg: Jan 22 21:46:40 SERVER01 System Test message from Synology
> Syslog Client from (10.10.0.5)\0x0a
> 0x:  3c31 343e 4a61 6e20 3232 2032 313a 3436
> 0x0010:  3a34 3020 504e 4153 4148 3149 4e46 3031
> 0x0020:  2053 7973 7465 6d20 5465 7374 206d 6573
> 0x0030:  7361 6765 2066 726f 6d20 5379 6e6f 6c6f
> 0x0040:  6779 2053 7973 6c6f 6720 436c 6965 6e74
> 0x0050:  2066 726f 6d20 2831 302e 3230 382e 302e
> 0x0060:  3529 0a
> ^C
> 1 packet captured
> 1 packet received by filter
> 0 packets dropped by kernel
>
> Thank you for your help,
> Regards,
> Jason
>
>
> On Sun, Jan 22, 2017 at 8:02 PM, Jochen Schalanda 
> wrote:
>
>> On Sunday, 22 January 2017 12:54:20 UTC+1, Jochen Schalanda wrote:
>>>
>>> On Sunday, 22 January 2017 06:19:21 UTC+1, JayJay wrote:

 Changed user to root, restarted server, and the input is starting ok
 now.

>>>
>>> From a security perspective, that's a very bad idea and I'd recommend to
>>> use one of the other mechanisms described in the documentation:
>>> http://docs.graylog.org/en/2.1/pages/faq.html
>>> #how-can-i-start-an-input-on-a-port-below-1024
>>>
>>
>> The simplest thing would be to run the input on a port >1024 (e. g. 1514)
>> of course…
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Graylog Users" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/to
>> pic/graylog2/1MF1mFj6EhQ/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> graylog2+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/graylog2/df11f552-c742-4858-838f-ea1c74c02ced%40googlegroups.com
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGUPOFt1Es%2BX1YigioxFFEVhLEwwSZhtosC8EZ0qho1A%3DtOeXw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] my first syslog input is failing

2017-01-22 Thread Jason Fuller 
Hi Jochen,

Understand about the security implications.  Thank you for pointing out ;)

On the receipt issue, yes, I'm sure there is not a network issue, on the
graylog server I'm receiving the packet.  It's just not showing up in
Graylog:

[root@server]# tcpdump -nnvvi ens32 port 514
tcpdump: listening on ens32, link-type EN10MB (Ethernet), capture size
65535 bytes
05:54:04.456723 IP (tos 0x0, ttl 64, id 8493, offset 0, flags [DF], proto
UDP (17), length 127)
10.10.0.5.37136 > 10.10.0.64.514: [udp sum ok] SYSLOG, length: 99
Facility user (1), Severity info (6)
Msg: Jan 22 21:46:40 SERVER01 System Test message from Synology
Syslog Client from (10.10.0.5)\0x0a
0x:  3c31 343e 4a61 6e20 3232 2032 313a 3436
0x0010:  3a34 3020 504e 4153 4148 3149 4e46 3031
0x0020:  2053 7973 7465 6d20 5465 7374 206d 6573
0x0030:  7361 6765 2066 726f 6d20 5379 6e6f 6c6f
0x0040:  6779 2053 7973 6c6f 6720 436c 6965 6e74
0x0050:  2066 726f 6d20 2831 302e 3230 382e 302e
0x0060:  3529 0a
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

Thank you for your help,
Regards,
Jason


On Sun, Jan 22, 2017 at 8:02 PM, Jochen Schalanda 
wrote:

> On Sunday, 22 January 2017 12:54:20 UTC+1, Jochen Schalanda wrote:
>>
>> On Sunday, 22 January 2017 06:19:21 UTC+1, JayJay wrote:
>>>
>>> Changed user to root, restarted server, and the input is starting ok
>>> now.
>>>
>>
>> From a security perspective, that's a very bad idea and I'd recommend to
>> use one of the other mechanisms described in the documentation:
>> http://docs.graylog.org/en/2.1/pages/faq.html
>> #how-can-i-start-an-input-on-a-port-below-1024
>>
>
> The simplest thing would be to run the input on a port >1024 (e. g. 1514)
> of course…
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/1MF1mFj6EhQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/df11f552-c742-4858-838f-ea1c74c02ced%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGUPOFt_V%3DNDPo_L8MU97oS_ACe0Rp3ptbotj9KbZ_U2EaDj2g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] my first syslog input is failing

2017-01-22 Thread Jochen Schalanda 
On Sunday, 22 January 2017 12:54:20 UTC+1, Jochen Schalanda wrote:
>
> On Sunday, 22 January 2017 06:19:21 UTC+1, JayJay wrote:
>>
>> Changed user to root, restarted server, and the input is starting ok now. 
>>  
>>
>
> From a security perspective, that's a very bad idea and I'd recommend to 
> use one of the other mechanisms described in the documentation: 
> http://docs.graylog.org/en/2.1/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024
>

The simplest thing would be to run the input on a port >1024 (e. g. 1514) 
of course…

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/df11f552-c742-4858-838f-ea1c74c02ced%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] my first syslog input is failing

2017-01-22 Thread Jochen Schalanda 
Hi Jason,

On Sunday, 22 January 2017 06:19:21 UTC+1, JayJay wrote:
>
> Changed user to root, restarted server, and the input is starting ok now.  
>

>From a security perspective, that's a very bad idea and I'd recommend to 
use one of the other mechanisms described in the 
documentation: 
http://docs.graylog.org/en/2.1/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024
 

However, when I send test messages to the input, I don't see anything in 
> input/search window.
>

How exactly are you sending test messages?
 

2017-01-22T21:05:47.002+08:00 WARN  [NettyTransport] receiveBufferSize 
> (SO_RCVBUF) for input SyslogUDPInput{title=diskstation, 
> type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} should be 
> 262144 but is 212992.
>

See https://github.com/Graylog2/documentation/issues/26 

I have two choices on my syslog sender:  BSD (RFC3164) and IETF (RFC 5424).
>

Both should work, if the sender adheres to the mentioned RFCs.

If you can rule out networking problems (check with Wireshark whether the 
messages actually reach Graylog), then you can try using a Raw/Plaintext 
input.

Cheers,
Jochen 

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/416fa6b3-d7d9-4b08-81ed-aca77216fdd5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] my first syslog input is failing

2017-01-21 Thread Jason Fuller 
Hi Jochen,

Thanks!  Changed user to root, restarted server, and the input is starting
ok now.

However, when I send test messages to the input, I don't see anything in
input/search window.
In the log, I see this:


2017-01-22T21:05:47.002+08:00 WARN  [NettyTransport] receiveBufferSize
(SO_RCVBUF) for input SyslogUDPInput{title=diskstation,
type=org.graylog2.inputs.syslog.udp.SyslogUDPInput, nodeId=null} should be
262144 but is 212992.

I have two choices on my syslog sender:  BSD (RFC3164) and IETF (RFC
5424).  I've tried both just to be sure, but no additional error messages
nor message show up in GrayLog.

Any suggestion?

Thanks!





On Fri, Jan 20, 2017 at 5:47 PM, Jochen Schalanda 
wrote:

> Hi Jason,
>
> you're trying to bind the input to a privileged port (<1024) which is only
> possible if Graylog was started by the system's root user or was configured
> accordingly (e. g. with authbind).
>
> See http://docs.graylog.org/en/2.1/pages/faq.html#how-can-
> i-start-an-input-on-a-port-below-1024 for details.
>
> Cheers,
> Jochen
>
> On Friday, 20 January 2017 10:43:08 UTC+1, JayJay wrote:
>>
>> Hi Richard,
>>
>>- allow_override_date:
>>true
>>- bind_address:
>>10.10.0.64  < I also tried 0.0.0.0 and 127.0.0.l
>>- expand_structured_data:
>>true
>>- force_rdns:
>>true
>>- override_source:
>>**
>>- port:
>>514
>>- recv_buffer_size:
>>262144
>>- store_full_message:
>>true
>>
>> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/1MF1mFj6EhQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/3174ef87-bd92-4cfc-9a50-9b17a268a0bf%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGUPOFsXPsQ5roE0-k7tGDnooxDUgxPtxWOb3Mu90NRuMTxKsw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] my first syslog input is failing

2017-01-20 Thread Jason Fuller 
Hi - further, I found another error more helpful on this:

An input has failed to start (triggered in 8 hours)
Input 58824501d7a3bd5096cf8dc9 has failed to start on node
b4803a74-6842-49dd-84b1-bc6a9a7b2504 for this reason: »Permission denied.«.
This means that you are unable to receive any messages from this input.
This is mostly an indication for a misconfiguration or an error. You can
click here  to solve this.


On Fri, Jan 20, 2017 at 5:42 PM, Jason Fuller 
wrote:

> Hi Richard,
>
>- allow_override_date:
>true
>- bind_address:
>10.10.0.64  < I also tried 0.0.0.0 and 127.0.0.l
>- expand_structured_data:
>true
>- force_rdns:
>true
>- override_source:
>**
>- port:
>514
>- recv_buffer_size:
>262144
>- store_full_message:
>true
>
>
> On Fri, Jan 20, 2017 at 5:30 PM, Richard S. Westmoreland <
> richar...@gmail.com> wrote:
>
>> What port are you trying to use?
>>
>>
>> On Jan 20, 2017, at 6:15 PM, JayJay  wrote:
>>
>> Hi,
>>
>> I have GrayLog setup on CentOS7.
>> I tried to setup an UDP Syslog input, and after setup, it eventually says
>> "failed".  I searched the logs, and didn't see much.
>>
>> I do see "failed" in the main log
>> at org.jboss.netty.channel.Channels.bind(Channels.java:561)
>> ~[graylog.jar:?]
>> at 
>> org.jboss.netty.channel.AbstractChannel.bind(AbstractChannel.java:197)
>> ~[graylog.jar:?]
>> at 
>> org.jboss.netty.bootstrap.ConnectionlessBootstrap.bind(ConnectionlessBootstrap.java:198)
>> ~[graylog.jar:?]
>> at 
>> org.graylog2.plugin.inputs.transports.NettyTransport.launch(NettyTransport.java:136)
>> ~[graylog.jar:?]
>> at 
>> org.graylog2.plugin.inputs.MessageInput.launch(MessageInput.java:153)
>> ~[graylog.jar:?]
>> ... 7 more
>> 2017-01-21T01:16:49.617+08:00 INFO  [InputStateListener] Input [Syslog
>> UDP/58824501d7a3bd5096cf8dc9] is now FAILED
>>
>>
>> What should I be looking for?
>>
>> Thanks!
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Graylog Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to graylog2+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/graylog2/2b4a7f4d-0611-4da1-9e2e-df5879e128b3%40googlegroups.com
>> 
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Graylog Users" group.
>> To unsubscribe from this topic, visit https://groups.google.com/d/to
>> pic/graylog2/1MF1mFj6EhQ/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> graylog2+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/ms
>> gid/graylog2/49AB95C7-1BE4-4BA4-A0CC-64CBBC18CDF5%40gmail.com
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGUPOFsTtgPoJHRh-vPKXL1fTRfibHdvn6qCZVdJWb07geaPbw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] my first syslog input is failing

2017-01-20 Thread Jason Fuller 
Hi Richard,

   - allow_override_date:
   true
   - bind_address:
   10.10.0.64  < I also tried 0.0.0.0 and 127.0.0.l
   - expand_structured_data:
   true
   - force_rdns:
   true
   - override_source:
   **
   - port:
   514
   - recv_buffer_size:
   262144
   - store_full_message:
   true


On Fri, Jan 20, 2017 at 5:30 PM, Richard S. Westmoreland <
richar...@gmail.com> wrote:

> What port are you trying to use?
>
>
> On Jan 20, 2017, at 6:15 PM, JayJay  wrote:
>
> Hi,
>
> I have GrayLog setup on CentOS7.
> I tried to setup an UDP Syslog input, and after setup, it eventually says
> "failed".  I searched the logs, and didn't see much.
>
> I do see "failed" in the main log
> at org.jboss.netty.channel.Channels.bind(Channels.java:561)
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.AbstractChannel.bind(AbstractChannel.java:197)
> ~[graylog.jar:?]
> at org.jboss.netty.bootstrap.ConnectionlessBootstrap.bind(
> ConnectionlessBootstrap.java:198) ~[graylog.jar:?]
> at org.graylog2.plugin.inputs.transports.NettyTransport.
> launch(NettyTransport.java:136) ~[graylog.jar:?]
> at 
> org.graylog2.plugin.inputs.MessageInput.launch(MessageInput.java:153)
> ~[graylog.jar:?]
> ... 7 more
> 2017-01-21T01:16:49.617+08:00 INFO  [InputStateListener] Input [Syslog
> UDP/58824501d7a3bd5096cf8dc9] is now FAILED
>
>
> What should I be looking for?
>
> Thanks!
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/2b4a7f4d-0611-4da1-9e2e-df5879e128b3%40googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Graylog Users" group.
> To unsubscribe from this topic, visit https://groups.google.com/d/
> topic/graylog2/1MF1mFj6EhQ/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/
> msgid/graylog2/49AB95C7-1BE4-4BA4-A0CC-64CBBC18CDF5%40gmail.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/CAGUPOFv85Agu5d2REevevvqECNnrd32jXRB%2B8GvXfOeqTWMztA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [graylog2] my first syslog input is failing

2017-01-20 Thread Richard S. Westmoreland 
What port are you trying to use?


> On Jan 20, 2017, at 6:15 PM, JayJay  wrote:
> 
> Hi,
> 
> I have GrayLog setup on CentOS7.  
> I tried to setup an UDP Syslog input, and after setup, it eventually says 
> "failed".  I searched the logs, and didn't see much.
> 
> I do see "failed" in the main log
> at org.jboss.netty.channel.Channels.bind(Channels.java:561) 
> ~[graylog.jar:?]
> at 
> org.jboss.netty.channel.AbstractChannel.bind(AbstractChannel.java:197) 
> ~[graylog.jar:?]
> at 
> org.jboss.netty.bootstrap.ConnectionlessBootstrap.bind(ConnectionlessBootstrap.java:198)
>  ~[graylog.jar:?]
> at 
> org.graylog2.plugin.inputs.transports.NettyTransport.launch(NettyTransport.java:136)
>  ~[graylog.jar:?]
> at 
> org.graylog2.plugin.inputs.MessageInput.launch(MessageInput.java:153) 
> ~[graylog.jar:?]
> ... 7 more
> 2017-01-21T01:16:49.617+08:00 INFO  [InputStateListener] Input [Syslog 
> UDP/58824501d7a3bd5096cf8dc9] is now FAILED
> 
> 
> What should I be looking for?
> 
> Thanks!
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to graylog2+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/graylog2/2b4a7f4d-0611-4da1-9e2e-df5879e128b3%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/49AB95C7-1BE4-4BA4-A0CC-64CBBC18CDF5%40gmail.com.
For more options, visit https://groups.google.com/d/optout.