Graylog not showing logs or messages from client - syslog

Hell There,
I am new to graylog, we have configured client with below entry in configuration file
*.* #1*.**.88.**:514;RSYSLOG_SyslogProtocol23Format (we are using 514 port)
even we tried to to send some logs to graylog server with
echo -n -e '{ "version": "1.1", "host": "example.org", "short_message": "A short message", "level": 5, "_some_info": "foo" }'"\0" | nc -w 3 10.**.88.** 30001
tcpdump -vvv -i any port 514 |grep TCP
tcpdump -vvv -i any port 514|grep UDP
but in GUI we are not able to see any messages from that client, can you all please help us what we are missing since we dont have any idea of graylog. our version is Graylog v3.3.8+
Regards,
Samurai

Ports under 1024 are reserved. Switch your input to use 1514 instead and it should work.

Related

Docker duplicates UDP packets

I'm doing a very basic test with Docker in UDP.
I start a container on port 8000/UDP:
docker run -p 8000:8000/udp jgkamat/netcat -l -u -p 8000
I watch the traffic coming to this port:
ngrep -W byline -d any portrange 8000
I send an UDP packet:
nc -u <ip-address> 8000
This is the result of ngrep:
filter: (ip or ip6) and ( portrange 8000 )
#
U <my-public-ip>:37704 -> 192.168.0.4:8000
hello.............
#
U <my-public-ip>:37704 -> 172.17.0.2:8000
hello.
#
U <my-public-ip>:37704 -> 172.17.0.2:8000
hello.
Can anyone please explain why packets are duplicated?
You are seeing the transit of the same udp package, which is being forwarded:
netcat -(hello)-> host-interface -(hello)-> container-interface
Each container has its own network interface. ngrep is watching both host-interfaces: the one that is usually eth0 and the one that is in the docker network, usually docker0.

how to identify the port on which Rsyslog running?

I am trying to setup the flume agent to collect the log events from Rsyslog, but I dont have root permission/sudoer to figure out which port syslog is running on/ and where it is running on TCP or UDP so I can configure flume agent accordingly.
Is there any way to know exactly what is the port that Rsyslog deamon running on?
Below are command that I have used to identify Rsyslog Deamon process
ldnpsr000001131$ ps -ef | grep syslog
root 4874 1 0 Feb04 ? 00:00:14 /sbin/rsyslogd -i /var/run/syslogd.pid -c 4
You may try netstat -natupel |grep syslog and you'll get all connections : active and listening

Controling ports on localhost

i am trying to learn socket programming with PHP but quickly ran into binding errors on ports,now my attention is diverted onto solving port issues, how do i go about fully controlling ports on my machine, what commands do i use?
sudo netcat -z -vv localhost http
localhost [127.0.0.1] 80 (http): Connection refused
my problem is i get connection refused on port 80
and when i run a port scan on my iMac i only get
netcat -v -z -n -w 1 127.0.0.1 1-1023
127.0.0.1 88 (kerberos) open
127.0.0.1 548 (afpovertcp) open
127.0.0.1 631 (ipp) open
how do i add port 80 (http) open
to that list?
any help would be appreciated thanks

Nagios - check if a process is listening to a port

Is there any command which checks that a certain process is listening to a port.
I have tried check_tcp but it does not output which process is listening to a port
Its output was:
TCP OK - 0.000 second response time on port 8443|time=0.000421s;;;0.000000;10.000000
I didn't see anything on the Nagios Plugins Exchange to meet your needs, so I wrote one to be used with NRPE.
https://github.com/jlyoung/nagios_check_listening_port_linux
Output looks like this:
[root#joeyoung.io ~]# python /usr/lib/nagios/plugins/nagios_check_listening_port_linux.py -n nginx -p 80
OK. nginx found listening on port 80 for the following address(es): [0.0.0.0] | 'listening_on_expected_port'=1;;;;
[root#joeyoung.io ~]# python /usr/lib/nagios/plugins/nagios_check_listening_port_linux.py -n nginx -p 9999
CRITICAL - No process named nginx could be found listening on port 9999 | 'listening_on_expected_port'=0;;;;

Broadcasting a message using nc (netcat)

I'm trying to send a broadcast message using netcat.
I have firewalls open and sending a regular message like this works for me:
host: nc -l 192.168.1.121 12101
client: echo "hello" | nc 192.168.1.121 12100
But I can't get something like this to work.
host: nc -lu 0.0.0.0 12101
client: echo "hello" | nc -u 255.255.255.255 12100
Am I using the right flags? Note, the host is on Mac and the client on Linux. Can you give me an example that works for broadcasting a message?
Thanks!
The GNU version of netcat might be broken. (I can't get to work under 0.7.1 anyway.) See http://sourceforge.net/p/netcat/bugs/8/
I've gotten socat to work. Code below does UDP broadcast to port 24000.
socat - UDP-DATAGRAM:255.255.255.255:24000,broadcast
(In socat-world "-" means "stdin".)
You're not saying you want to broadcast, which is done using the -b option to nc/netcat.
nc -h 2>&1 | grep -- -b
-b allow broadcasts
A simple example that works on Ubuntu. All the info in is in the other answers, but I had to piece it together, so thought I would share the result.
server
nc -luk 12101
client
echo -n "test data" | nc -u -b 255.255.255.255 12101
The client will hang until you do Ctrl-C
Sorry, if I am assuming wrong but you mentioned that you have your firewalls set up correctly so I am guessing that the host and client are not on the same subnet???
If that is the case and this firewall is also acting also as a router (or if the packet has to go through a router) then it is going to process that packet but it will not forward it out its other interfaces. If you wanted that to happen then you would need to send a directed broadcast. For example; for the subnet 192.168.1.0/24 the directed broadcast would be 192.168.1.255, the last IP in the subnet. Then the firewall, assuming it had a route to 192.168.1.0/24 and that it is set up to forward directed broadcast, would forward that broadcast out to the destination or next hop. Configuring your device to forward directed broadcast... you would need to reference its documentation. For Cisco IOS you would type in, under the interface, "ip directed-broadcast".
255.255.255.255 is a limited broadcast and is not going to get pass your routers regardless, it is solely intended for the layer 2 link that it resides.
As for how netcat is set up:
-l 0.0.0.0 12101, tells netcat to listen on port 12101 on all interfaces that are up and with an IP address assigned. The -u is not needed as it is telling netcat to listen on a unix domain socket, google IPC :) (this is the biggest reason that your scenario is not working.)
The below should work to get a broadcast forwarded to another network via netcat:
server: nc -l 0.0.0.0 12101
host: echo "hello" | nc 192.168.1.255 12101
Hope that helps, sorry if that was long winded or off from what you were looking for :)

Resources