Send to SYSLOG not working

[netsysadm]

Hi i tried commention the SYSLOG in maltrail conf and allow the port both on the maltrail server going to the syslog server(graylog) tried both CEF UDP and SYSLOG UDP but logserver still not able to receive anything, the port on the maltrail isnt even listening. Can anyone help please? Do i need to install rsyslog for this purpose?

[MikhailKasimov]

Hello!

Please, show your maltrail.conf file in place of #SYSLOG_SERVER variable. Thank you!

[netsysadm]

Hi @MikhailKasimov

Here's my mailtrail.conf with the SYSLOG_SERVER line

#Interface used for monitoring (e.g. eth0, eth1)
#MONITOR_INTERFACE any
MONITOR_INTERFACE eth1`

#Network capture filter (e.g. ip)
#Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/
#CAPTURE_FILTER ip or ip6
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))

#Sensor name to appear in produced logs
SENSOR_NAME $HOSTNAME

#Remote address to send log entries
LOG_SERVER 192.168.120.55:8337
#LOG_SERVER 192.168.2.107:8337
#LOG_SERVER [fe80::12c3:7bff:fe6d:cf9b%eno1]:8337

#Remote address to send syslog entries
#SYSLOG_SERVER 192.168.2.107:514
SYSLOG_SERVER 192.168.148.254:5560

#Use only (!) in cases when LOG_SERVER should be used for log storage
DISABLE_LOCAL_LOG_STORAGE false

[MikhailKasimov]

Hello!

SYSLOG_SERVER 192.168.148.254:5560 <-- why not SYSLOG_SERVER 192.168.148.254:514 ?

[stamparm]

@netsysadm I believe that you are trying to push syslog/CEF messages, while Graylog in your case expects GELF:

[stamparm]

@netsysadm https://www.graylog.org/post/how-to-use-graylog-as-a-syslog-server

[MikhailKasimov]

Auxiliary: Pipeline rule regex for handling Maltrail alerts coming into graylog: https://github.com/john-babio/graylog/blob/master/maltrail.pipeline

[stamparm]