Hi Community,
I’ve set via plugin " Logging Alert Plugin for Graylog" a new alert, I need generate a new event if my alert has match with the stream. This way (I think) is working fine because the event is generate into Graylog but in “/var/log/graylog-server/server.log”. I can’t see this event on Graylog search. The event is into “server.log”, a put a sample:
Why I can’t see the event in the “search”??? How I can do it that, I can see the event generated vi alert in “Search”???
So, Also I’ve seen another option is use other plugin as " Internal Logs Input Plugin for Graylog". I found this solution but I created the input but I can’t see the events into the “Search”. I’m confuse because in the input I can see the metrics has messages (a lot of events)…but I go to “search” and I don’t see nothing. Sorry but its is difficult for me. I’m very frustrated.
Do you have any idea about this, could you help me please???
I mean use rsyslog, my rsyslog cofig has, such as:
As you say Logging Alert generates a log which by default is written to server.log.
You have two solutions:
Configure Rsyslog to read this file and send logs to Graylog (the rsyslog config you provide is not sufficient)
Configure Graylog log4j2.xml to send Graylog’s logs directly to Graylog (syslog appender or with the plugin Internal Log). Note: I had some problems with the plugin Internal Log (logs were get twice)
You can use something like:
module(load=“imfile”)
input(type=“imfile”
File="/var/log/graylog-server/server.log"
tag=“graylog-server:”
Facility=“local6”
)
local6.* @localhost:5141
I’ve created a new file type “100-graylog.conf”, into the path: /etc/rsyslog.d/
$InputFileName /var/log/graylog-server/server.log
$InputFileTag graylog-server
$InputRunFileMonitor
$InputFileStateFile graylog-server
$InputFileFacility local6
Edit the file "/etc/rsyslog.conf, and add these lines:
module(load=“imfile”)
local6.* @ip_graylog:5141
