I'm having similar issues with GELF packets. They show up if I create a raw udp input, but they don't show up with a gelf input. It used to work, but suddenly stopped working.
I also have no idea on how to debug this, there doesn't seem to be a place for parser errors. Increasing the debug level to "debug" or "trace" doesn't help me, it generates way too much noise. On Wednesday, February 8, 2017 at 12:43:38 PM UTC-6, [email protected] wrote: > > Hello, > > I've recently set up a working Graylog server. It's collecting logs from > many network switches and routers. One particular router (ironically, the > most important one) doesn't appear in the Sources list though. Graylog > keeps ignoring all packets coming from that host. Here's an example of a > packet which is *not* ignored by Graylog: > > 19:12:15.705167 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto > UDP (17), length 115) > 10.50.255.44.40810 > Silenoz.syslog: [udp sum ok] [|syslog] > 0x0000: 4500 0073 0000 4000 4011 27e3 0a32 ff2c E..s..@.@.'..2., > 0x0010: 0a32 ff06 9f6a 0202 005f 01d1 6468 6370 .2...j..._..dhcp > 0x0020: 2c77 6172 6e69 6e67 2067 706f 6e2d 6d6e ,warning.gpon-mn > 0x0030: 6720 6f66 6665 7269 6e67 206c 6561 7365 g.offering.lease > 0x0040: 2031 302e 3530 2e32 3338 2e33 3520 666f .10.50.238.35.fo > 0x0050: 7220 3030 3a30 323a 3731 3a35 413a 3036 r.00:02:71:5A:06 > 0x0060: 3a42 3820 7769 7468 6f75 7420 7375 6363 :B8.without.succ > 0x0070: 6573 73 > > And below you can see a packet which *is* ignored by Graylog: > > 10.50.255.111.56993 > Silenoz.syslog: [udp sum ok] SYSLOG, length: 154 > Facility local7 (23), Severity notice (5) > Msg: Feb 8 19:12:17: %SYSLOG-5-NOTICE: aaad: SubSessionAUTHFAIL user: > pppoe16344@mn (24) Authentication failure [Circuit handle: 1/4:511:63:31/6 > /2/47661]\0x0a > 0x0000: 3c31 3839 3e46 6562 2038 2031 393a 3132 > 0x0010: 3a31 373a 2025 5359 534c 4f47 2d35 2d4e > 0x0020: 4f54 4943 453a 2061 6161 643a 2053 7562 > 0x0030: 5365 7373 696f 6e41 5554 4846 4149 4c20 > 0x0040: 7573 6572 3a20 7070 706f 6531 3633 3434 > 0x0050: 406d 6e20 2832 3429 2041 7574 6865 6e74 > 0x0060: 6963 6174 696f 6e20 6661 696c 7572 6520 > 0x0070: 5b43 6972 6375 6974 2068 616e 646c 653a > 0x0080: 2031 2f34 3a35 3131 3a36 333a 3331 2f36 > 0x0090: 2f32 2f34 3736 3631 5d0a > 0x0000: 4500 00b6 77da 0000 4011 ef82 0a32 ff6f [email protected] > 0x0010: 0a32 ff06 dea1 0202 00a2 28d8 3c31 3839 .2........(.<189 > 0x0020: 3e46 6562 2038 2031 393a 3132 3a31 373a >Feb.8.19:12:17: > 0x0030: 2025 5359 534c 4f47 2d35 2d4e 4f54 4943 .%SYSLOG-5-NOTIC > 0x0040: 453a 2061 6161 643a 2053 7562 5365 7373 E:.aaad:.SubSess > 0x0050: 696f 6e41 5554 4846 4149 4c20 7573 6572 ionAUTHFAIL.user > 0x0060: 3a20 7070 706f 6531 3633 3434 406d 6e20 :.pppoe16344@mn. > 0x0070: 2832 3429 2041 7574 6865 6e74 6963 6174 (24).Authenticat > 0x0080: 696f 6e20 6661 696c 7572 6520 5b43 6972 ion.failure.[Cir > 0x0090: 6375 6974 2068 616e 646c 653a 2031 2f34 cuit.handle:.1/4 > 0x00a0: 3a35 3131 3a36 333a 3331 2f36 2f32 2f34 :511:63:31/6/2/4 > 0x00b0: 3736 3631 5d0a 7661]. > > As you can see, the packet is much longer, but it doesn't exceed the > maximum UDP packet size that can be processed by Graylog (8192). My guess > is that logs coming from 10.50.255.111 are not RFC compatible and thus > they're discarded by Graylog. How can I debug it / fix it? I didn't find > any related messages in the Elasticsearch log (there were no errors related > to parsing a message). > I deleted the default Input object and added a new RAW UDP Input object. > It didn't fix the issue - logs from 10.50.255.111 are still not parsed. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/e716e116-e7dc-4f8c-a032-8f06b53ac692%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
