Alert log via internal log or by rsyslog

(Santi) #1

Hi Community,
I’ve set via plugin " Logging Alert Plugin for Graylog" a new alert, I need generate a new event if my alert has match with the stream. This way (I think) is working fine because the event is generate into Graylog but in “/var/log/graylog-server/server.log”. I can’t see this event on Graylog search. The event is into “server.log”, a put a sample:

2019-05-01T15:57:43.075+02:00 INFO [LoggingAlert] type: alert | id: 5cc9a5d5da55db4e328d460c | severity: high | app: graylog | subject: Root logon | body: Stream received messages matching message:“root” (Current grace time: 0 minutes) | src: | src_category: | dest: | dest_category:

Why I can’t see the event in the “search”??? How I can do it that, I can see the event generated vi alert in “Search”???

So, Also I’ve seen another option is use other plugin as " Internal Logs Input Plugin for Graylog". I found this solution but I created the input but I can’t see the events into the “Search”. I’m confuse because in the input I can see the metrics has messages (a lot of events)…but I go to “search” and I don’t see nothing. Sorry but its is difficult for me. I’m very frustrated.

Do you have any idea about this, could you help me please???

I mean use rsyslog, my rsyslog cofig has, such as:

graylog.* /var/log/graylog-server/server.log
graylog.* @localhost:5141

I think that can be works but I’m testing and its is not running. I can’t work with this way yet…impossible.

Please, do you help me for any solution??? I want see the event generate for new alert!!!

Sorry.

Regards

I

(Jan Doberstein) #2

with vanilla Graylog such is not (yet) possible. The upcoming 3.1 release will have such available!

What the plugin does I do not know, as I do not know the plugin.

(Santi) #3

But I’ve seen this: https://github.com/airbus-cyber/graylog-plugin-logging-alert
and https://github.com/graylog-labs/graylog-plugin-internal-logs

Do you know that???

(Jan Doberstein) #4

i know - but never used.

(Santi) #5

Do you know any alternstive, please?

Thanks

#6

As you say Logging Alert generates a log which by default is written to server.log.
You have two solutions:

  • Configure Rsyslog to read this file and send logs to Graylog (the rsyslog config you provide is not sufficient)
  • Configure Graylog log4j2.xml to send Graylog’s logs directly to Graylog (syslog appender or with the plugin Internal Log). Note: I had some problems with the plugin Internal Log (logs were get twice)
(Santi) #7

Hi Frantz,

Do you have any example for rsyslog, please?

Thank you !

#8

You can use something like:
module(load=“imfile”)
input(type=“imfile”
File="/var/log/graylog-server/server.log"
tag=“graylog-server:”
Facility=“local6”
)
local6.* @localhost:5141

(Santi) #9

Will check It!!

Thank you frantz

(Santi) #10

Hi,

My config has been:

  1. I’ve created a new file type “100-graylog.conf”, into the path: /etc/rsyslog.d/
    $InputFileName /var/log/graylog-server/server.log
    $InputFileTag graylog-server
    $InputRunFileMonitor
    $InputFileStateFile graylog-server
    $InputFileFacility local6

  2. Edit the file "/etc/rsyslog.conf, and add these lines:
    module(load=“imfile”)
    local6.* @ip_graylog:5141

So, this config works properly!

Thanks!!!