Adding Graylog to rSyslog Server


(Grizz ) #1

We’ve had this syslog server running forever but now want to implement a better way to analyze the logs. I’ve got Graylog up and running. Whats the quickest way to get it picking up all the data incoming to rsyslog? I figured if i create an Input on port 1514, then use iptables to redirect 514 to 1514 it should automatically start getting all incoming logs.

sudo iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 514 -j REDIRECT --to-port 1514

So far nothing is showing up, is there anything i’m missing or not thinking of? The input i have is:

allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
max_message_size: 2097152
override_source:
port: 1514
recv_buffer_size: 1048576
store_full_message: false
tcp_keepalive: false
tls_cert_file:
tls_client_auth: disabled
tls_client_auth_cert_file:
tls_enable: false
tls_key_file:
tls_key_password: ********
use_null_delimiter: false


(Shane) #2

Can you perform a tcpdump and verify that the server is receiving data?


(Grizz ) #3

This is my mistake, firewall port wasn’t open and had Graylog set to TCP. Everythings working now!


(system) #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.