[graylog2] Syslog Input on port UDP 514?

Discussion:

Nathan Mace

2016-07-29 14:36:55 UTC

I'm looking to replace a small Splunk instance with Graylog. One of things
that sends logs into Splunk now is many remote field offices' worth of
routers and switches. All via UDP 514. I had originally thought once I
got everything configured I could simply shut down the Splunk server and
assign it's IP address to Graylog and be good to go. However all of those
remote devices are set to transmit on port 514, and I can't create an input
on Graylog for that port number (partially because it's in use by the
systems own syslog service and partially because I can't assign an input on
a low numbered port number).

What are my options besides reconfiguring all of those switches and routers?

Nathan

--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/85ae7a83-52f1-423e-b4ab-acaed966de08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Darin Perusich

2016-07-29 19:12:29 UTC

Permalink

Run Graylog as root or use iptables to redirect traffic bound for 514
to whatever port you've configured Graylog to collect syslog messages
on.

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 514 -j REDIRECT
--to-port 1514
--
Later,
Darin

Post by Nathan Mace
I'm looking to replace a small Splunk instance with Graylog. One of things
that sends logs into Splunk now is many remote field offices' worth of
routers and switches. All via UDP 514. I had originally thought once I got
everything configured I could simply shut down the Splunk server and assign
it's IP address to Graylog and be good to go. However all of those remote
devices are set to transmit on port 514, and I can't create an input on
Graylog for that port number (partially because it's in use by the systems
own syslog service and partially because I can't assign an input on a low
numbered port number).
What are my options besides reconfiguring all of those switches and routers?
Nathan
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/85ae7a83-52f1-423e-b4ab-acaed966de08%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADaviKvmOCBxf7Pn%3Ds71uUYjEBAe-YYge8L5nr_x-k-5%2Be_DtA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

BKeep

2016-07-29 21:30:28 UTC

Permalink

And the firewalld solution
firewall-cmd --zone=<your zone>
--add-forward-port=port=514:proto=udp:toport=10514 --permanent

--
You received this message because you are subscribed to the Google Groups "Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/d6235e8d-e96c-409f-b2ad-a3a9820ce8b4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.