GELF Logs from Graylog to Logstash

MultiplierMultiplier · December 14, 2017, 10:06am

INFO: I am running version 6.1 on all of my Elastic Stack components, these are Ubuntu VM's hosted in Azure. I have listed the contents of the Gralyog logs below and the Logstash logs show nothing (Even when set to debug).

I am trying to see what features an Elastic Stack can give us over our current Graylog configuration, by sending all of our current logs from Graylog to our Elastic stack it would save us a huge amount of time and allow us to get testing as soon as possible. So on Graylog I have set up a GELF output, this output is point at the internal address of the Elastic stack as we host it all in Azure and have set up peering, I have tested the connection by SSHing from the Graylog VM to the Elastic VM and it worked. I have also opened the outbound firewall rule to the Elastic box from the Graylog VM over port 20001 and allowed the inbound connection on the Elastic VM over port 20001.

So When I run Graylog I get connection refused constantly, you can see an example below:

2017-12-14T09:58:59.097Z ERROR [GelfTcpTransport] Connection failed: Connection refused: /10.16.0.5:20001
2017-12-14T09:58:59.599Z ERROR [GelfTcpTransport] Connection failed: Connection refused: /10.16.0.5:20001

So I run a TCP dump on the Elastic box on port 20001 and the connection attempting to be made over and over, an example is shown below:

10:00:18.009176 IP 10.13.0.5.58266 > 10.16.0.5.20001: Flags [S], seq 1996331290, win 29200, options [mss 1418,sackOK,TS val 514368188 ecr 0,nop,wscale 7], length 0
10:00:18.009199 IP 10.16.0.5.20001 > 10.13.0.5.58266: Flags [R.], seq 0, ack 1996331291, win 0, length 0
10:00:18.511280 IP 10.13.0.5.58268 > 10.16.0.5.20001: Flags [S], seq 2506929537, win 29200, options [mss 1418,sackOK,TS val 514368313 ecr 0,nop,wscale 7], length 0
10:00:18.511330 IP 10.16.0.5.20001 > 10.13.0.5.58268: Flags [R.], seq 0, ack 2506929538, win 0, length 0

Here is my gelf input on Logstash:

input {
  gelf {
    host => "10.16.0.5"
    port => 20001
  }
}

Has anyone got any ideas on how I can get this working?
I was thinking maybe the input config isn't quite right but I'm not sure.

Cheers,

George

pushert · December 18, 2017, 9:11am

George,

I believe you may be mixing protocols. By default gelf is udp and the
last time I looked at the status of the tcp input it was still not
implemented.

-J.J.-

MultiplierMultiplier · December 18, 2017, 9:35am

Hi J.J,

Thanks for the info, I'll give it a go once I get back to work.

Cheers

George

EDIT:

Graylog has the option for outputting GELF over TCP. I was trying to send GELF over TCP and by changing the Graylog output type to TCP it worked. Thanks J.J for you answer it worked perfectly!

system · January 15, 2018, 9:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.