Messages from Gelf4Net are not stored in Graylog2

Question

I have an Ubuntu server with Elasticsearch, MongoDB, and Graylog2 running in Azure, and I have an asp.net mvc4 application I am trying to send logs from. (I am using Gelf4Net / Log4Net as the logging component). To cut to the chase, nothing is being logged.

(skip to the update to see what is wrong)

The setup

• 1 Xsmall Ubuntu VM running the needed software for graylog2
  • everything is running as a daemon
• 1 Xsmall cloud service with the MVC4 app (2 instnaces)
• A virtual network setup so they can talk.

So what have I tried?

• From the linux box the follow command will cause a message to be logged echo "<86>Dec 24 17:05:01 foo-bar CRON[10049]: pam_unix(cron:session):" | nc -w 1 -u 127.0.0.1 514
• I can change the IP address to use the public IP and it works fine as well.
• using this powershell script I can log the same message from my dev machine as well as the production web server
• Windows firewall turned off and it still doesn't work.
• I can log to a FileAppender Log4Net, so I know Log4Net is working.
• tailing the graylog2.log shows nothing of interest. Just a few warning about my plugin directory So I know everything is working, but I can't get the Gelf4Net appender to work. I'm a loss here. Where can I look? Is there something I am missing

GRAYLOG2.CONF

#only showing the connection stuff here. If you need something else let me know
syslog_listen_port = 514
syslog_listen_address = 0.0.0.0
syslog_enable_udp = true
syslog_enable_tcp = false

web.config/Log4Net

//application_start() has log4net.Config.XmlConfigurator.Configure();

<log4net >
  <root>
    <level value="ALL" />
    <appender-ref ref="GelfUdpAppender" />
  </root>
  <appender name="GelfUdpAppender" type="Gelf4net.Appender.GelfUdpAppender, Gelf4net">
    <remoteAddress value="public.ip.of.server"/>
    <remotePort value="514" />
    <layout type="Gelf4net.Layout.GelfLayout, Gelf4net">
      <param name="Facility" value="RandomPhrases" />
    </layout>
  </appender>
</log4net>

---

update

for some reason it didn't occur to me to run graylog in debug mode :) Doing so shows this message.

2013-04-09 03:00:56,202 INFO : org.graylog2.inputs.syslog.SyslogProcessor - Date could not be parsed. Was set to NOW because allow_override_syslog_date is true. 2013-04-09 03:00:56,202 DEBUG: org.graylog2.inputs.syslog.SyslogProcessor - Skipping incomplete message.

So it is sending an incomplete message. How can I see what is wrong with it?

Answer 1

I was using the wrong port (DOH!)

I should have been using the port specified in graylog2.config / gelf_listen_port = 12201

so my web.config/log4net/gelf appender should have had

<appender name="GelfUdpAppender" type="Gelf4net.Appender.GelfUdpAppender, Gelf4net">
   ...
    <remotePort value="12201" />
   ...
</appender>

---

For anyone who may have the same problem, make sure Log4Net reloads the configuration after you change it. I don't have it set to watch the config file for changes, so it took me a few minutes to realize that I was using the wrong port. When I changed it from 514 to 12201 the first time, messages still weren't getting though. I had to restart the server for Log4Net to pick up the new config, and then it started to work.