graylog2

From: Nick Smith 
------------------------------------------------------
Im trying to get graylog2 setup to accept logs from rsyslog

I keep getting this in the log:

FATAL: org.graylog2.Main - Could not start syslog server core thread.
Do you have permissions to listen on port 514?

Ive googled around and I have apparmour and the firewall disabled on
ubuntu 12.04
The graylog user i setup has sudo access, which i guess is needed to
bind to a port.

rsyslogs.conf:

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 12201

graylog2.conf

# On which port (UDP) should we listen for Syslog messages? (Standard: 514)
syslog

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Q. Can any two programs run on the same protocol/port pair at the same time? A. No. Start at the "Sending logs to the Graylog2 server" part of your tutorial. That's what you do on other servers to send *to* your graylog2 server. - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEUEARECAAYFAlAj2MMACgkQABP1RO+tr2TyDQCeO6AyF+2QGP3DTv0OKHdkWgXl tZYAlRi3LltV3t1Bn9mgABCnMx+Vz64= =DG68 -----END PGP SIGNATURE-----

=============================================================== From: Nick Smith ------------------------------------------------------ Thanks for the help, i figured that was the case. Im assuming graylog2 and rsyslog both have to be running on the same box, and both want to use 514. I guess im drawing a blank on how i could change the port on one and still have it end up in graylog2.

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Why on earth would you continue to ASS*U*me that when I just told you that you can't do that? I didn't see graylog2 set up on 514 in the tutorial (I only scanned so I could have missed it). Either rsyslogd will answer on UPD/514 and forward it on to graylog2 *ON A DIFFERENT PORT/PROTOCOL PAIR* or a socket, or graylog2 will replace rsyslogd and receive those messages. Either way, you do NOT configure two services to run on the same protocol/port pair. It does NOT work. Look for hints in either /opt/graylog2-server/graylog2.conf or find graylog2.conf under /etc and look in it. Again, I can't tell quickly if the purpose of this software is to replace rsyslogd on the host server, or supplement it. But you can't run two services on UDP/514 at the same time. Regards, dtb Thanks for any help, i think ive just over complicated this and