So I have my Graylog server set up at location “A”. Setting up inputs and I’m scratching my head on this one:
I have a raspberry pi at location “B”. It serves as a remote access device and logging device for some legacy equipment on the network via rsyslog (/etc/rsyslog.d/temlateHere.conf). It logs 2 devices in addition to the pi itself. I use ZeroTier to connect my devices. All I can do client-side on these legacy devices is point to the server and port to send syslog to.
I have the pi and graylog on the same ZeroTier network. I think: Can I take what’s being logged to the raspberry pi and send that to graylog via another port. I’ve been trying for a few hours and this is what I’ve looked at and came across:
Wondering if any of y’all have come across a situation similar to this, if you see the missing puzzle piece in this that I don’t see, have an answer or “idea”. TIA.
Let me understand your environment.
There are three devices, and your PI has Graylog server on it.
You want to send the PI logs to another logging server? If this is correct, then yes you can.
In my lab I have two log shippers (Nxlog, FileBeat) on one device send logs to two different logging servers.
So there’s legacy device 1 and 2. They’re sending logs to the pi that’s running rsyslog and printing the log to their respective outputs (/var/log/legacydevice1.log). I want to send that to my graylog instance at a separate location.
The pi does not have graylog on it. Only rsyslog and other unrelated applications.
I want to send the logs from legacy device 1 on the pi to the graylog server as input: legacy device 1 @x.x.x.x:5141
I want to send the logs from legacy device 2 on the pi to the graylog server as input: legacy device 2 @x.x.x.x:5142
Then, I want to send the logs from the pi syslog to the graylog server as input: pi syslog @x.x.x.x:5143
The reason why this way is because ZeroTier is secure and encrypted. Creating a layer 2 network so that you can connect 2 devices anywhere without firewall configuration. No ports are exposed to the internet. The legacy devices can’t run the ZeroTier software on them so that’s why the pi sits in the middle.
I agree with @shoothub seeing your rsyslog.conf would be great.
Just a side note, depending on what type of input your using on Graylog you will need to match them up to one of these in Rsyslog configuration file.
*.* @@x.x.x.x:5141 ---> This would be used for UDP connection ( Syslog UDP input)
*.* @x.x.x.x:5141 --> This would be used for TCP connection (Syslog TCP input)
What I’m more curious about is the need to send each source to its own input–it doesn’t seem to make a lot of sense in my mind. If you’re sending 3 separate syslog sources to Graylog, send them all to the same input. It will reduce configuration complexity and from there, you can separate the data how you like within Graylog using pipelines or stream routing.
