Adding Graylog to rSyslog Server

We’ve had this syslog server running forever but now want to implement a better way to analyze the logs. I’ve got Graylog up and running. Whats the quickest way to get it picking up all the data incoming to rsyslog? I figured if i create an Input on port 1514, then use iptables to redirect 514 to 1514 it should automatically start getting all incoming logs.

sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 514 -j REDIRECT --to-port 1514

So far nothing is showing up, is there anything i’m missing or not thinking of? The input i have is:

allow_override_date: true
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
port: 1514
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
tls_client_auth: disabled
tls_enable: false
tls_key_password: ********
use_null_delimiter: false

Can you perform a tcpdump and verify that the server is receiving data?

1 Like

This is my mistake, firewall port wasn’t open and had Graylog set to TCP. Everythings working now!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.