Graylog Collector Connection Refused

Question

I am trying to create a Graylog Server - Graylog Collector setup, where the graylog collector collects the syslog files on one machine and ships them to the server.

I have used the AWS AMI to create the Graylog Server and it is working as expected.

I installed a Graylog Collector on the same machine and I am able to see it in the list of sources for that instance.

My problem is when I try and connect to a remote Graylog Collector.

The Graylog Collector configuration file looks like this:

server-url = "http://xxx.xxx.xxx.xxx:12900/"

inputs {  
  syslog {
    type = "file"
    path = "/var/log/syslog"
  }     
}

outputs {
  graylog-server {
    type = "gelf"
    host = "xxx.xxx.xxx.xxx"
    port = 12201
  } 
}    

where xxx.xxx.xxx.xxx is the private IP address of the graylog server I am attempting to connect to.

An extract from the configuration of the graylog server is:

rest_listen_uri = http://0.0.0.0:12900/

And the security groups for both instances are as follows:

-----------------------------------------------------------------
| Type            | Protocol        | Port Range   |  Source    |
-----------------------------------------------------------------
| Custom TCP Rule | TCP             | 12201        |  0.0.0.0/0 |
-----------------------------------------------------------------
| Custom TCP Rule | TCP             | 12900        |  0.0.0.0/0 |
-----------------------------------------------------------------

When I look at the logs for the graylog collector, I get the following messages:

2015-11-14T23:41:33.948+0000 ERROR [gelfTcpTransport-1-1] gelfclient.transport.GelfTcpTransport - Connection failed: Connection refused: /xxx.xxx.xxx.xxx:12201
2015-11-14T23:41:34.949+0000 ERROR [gelfTcpTransport-1-1] gelfclient.transport.GelfTcpTransport - Connection failed: Connection refused: /xxx.xxx.xxx.xxx:12201
2015-11-14T23:41:35.951+0000 ERROR [gelfTcpTransport-1-1] gelfclient.transport.GelfTcpTransport - Connection failed: Connection refused: /xxx.xxx.xxx.xxx:12201
2015-11-14T23:41:36.953+0000 ERROR [gelfTcpTransport-1-1] gelfclient.transport.GelfTcpTransport - Connection failed: Connection refused: /xxx.xxx.xxx.xxx:12201
2015-11-14T23:41:37.956+0000 ERROR [gelfTcpTransport-1-1] gelfclient.transport.GelfTcpTransport - Connection failed: Connection refused: /xxx.xxx.xxx.xxx:12201
2015-11-14T23:41:38.698+0000 WARN  [HeartbeatService RUNNING] collector.heartbeat.HeartbeatService - Unable to send heartbeat to Graylog server: ConnectException: Connection refused

(again xxx.xxx.xxx.xxx is the private IP address of the graylog server I am attempting to connect to)

I have run a traceroute between the 2 machines on port 12201 and port 12900 without any problems.

Can anyone tell me what I might be missing in my configuration to allow these 2 to connect?

Both are running Ubuntu 14.04.

Thanks,

Seán

Answer 1

Try to change the settings in the Graylog Web , "System -> Inputs" menu, edit the input settings that listen from port 12201 (in my case is called "Appliance Gelf UDP" ), and change the "Bind Adress" to your private IP. In my case , that everything is in localhost (the collector and the vagrant virtual machine containing the Graylog server) , I have written "127.0.0.1", and the "HeartbeatService RUNNING] collector.heartbeat.HeartbeatService - Unable to send heartbeat to Graylog server: ConnectException: Connection refused" error message have dissapear from the Graylog Collector's log.

This is the STDOUT output of a healthy collector starting:

2015-12-18T12:26:24.027+0100 INFO  [main] cli.commands.Run - Starting Collector v0.4.1 (commit 36a0856)
2015-12-18T12:26:24.032+0100 INFO  [main] cli.commands.Run - Running on Windows 8.1 Windows 8.1 6.3 (amd64)
2015-12-18T12:26:25.311+0100 INFO  [main] collector.utils.CollectorId - Collector ID: ff0f70f5-2d48-4b5c-9943-88031ea5e0fc
2015-12-18T12:26:25.349+0100 INFO  [main] outputs.gelf.GelfOutput - Starting GELF transport: org.graylog2.gelfclient.GelfConfiguration@7ca65d82
2015-12-18T12:26:25.761+0100 INFO  [gelfTcpTransport-1-1] gelfclient.transport.GelfTcpTransport - Channel disconnected!
2015-12-18T12:26:25.761+0100 INFO  [main] cli.commands.Run - Service RUNNING: BufferProcessor [RUNNING]
2015-12-18T12:26:25.761+0100 INFO  [main] cli.commands.Run - Service RUNNING: FileObserver [RUNNING]
2015-12-18T12:26:25.761+0100 INFO  [main] cli.commands.Run - Service RUNNING: MemoryReporterService [RUNNING]
2015-12-18T12:26:25.761+0100 INFO  [main] cli.commands.Run - Service RUNNING: MetricService [RUNNING]
2015-12-18T12:26:25.762+0100 INFO  [main] cli.commands.Run - Service RUNNING: HeartbeatService [RUNNING]
2015-12-18T12:26:25.764+0100 INFO  [main] cli.commands.Run - Service RUNNING: GelfOutput{port='12201', id='gelf-tcp', client-send-buffer-size='-1', host='127.0.0.1', inputs='', client-reconnect-delay='1000', client-connect-timeout='5000', client-tcp-no-delay='true', client-queue-size='512'}

Answer 2

Heartbeat error is related to the registration of graylog-collector with the graylog-server. The collector needs to register with the Graylog server so that it can appear in the System->Collector menu of the web interface. In the graylog-collector configuration file set "enable-registration = false" (without quotes) as global configuration to remove this heartbeat error. This will remove the heartbeat error and the logs will still be going on the graylog sever without any issue.