Alert log via internal log or by rsyslog

Hi Community,
I’ve set via plugin " Logging Alert Plugin for Graylog" a new alert, I need generate a new event if my alert has match with the stream. This way (I think) is working fine because the event is generate into Graylog but in “/var/log/graylog-server/server.log”. I can’t see this event on Graylog search. The event is into “server.log”, a put a sample:

2019-05-01T15:57:43.075+02:00 INFO [LoggingAlert] type: alert | id: 5cc9a5d5da55db4e328d460c | severity: high | app: graylog | subject: Root logon | body: Stream received messages matching message:“root” (Current grace time: 0 minutes) | src: | src_category: | dest: | dest_category:

Why I can’t see the event in the “search”??? How I can do it that, I can see the event generated vi alert in “Search”???

So, Also I’ve seen another option is use other plugin as " Internal Logs Input Plugin for Graylog". I found this solution but I created the input but I can’t see the events into the “Search”. I’m confuse because in the input I can see the metrics has messages (a lot of events)…but I go to “search” and I don’t see nothing. Sorry but its is difficult for me. I’m very frustrated.

Do you have any idea about this, could you help me please???

I mean use rsyslog, my rsyslog cofig has, such as:

graylog.* /var/log/graylog-server/server.log
graylog.* @localhost:5141

I think that can be works but I’m testing and its is not running. I can’t work with this way yet…impossible.

Please, do you help me for any solution??? I want see the event generate for new alert!!!




with vanilla Graylog such is not (yet) possible. The upcoming 3.1 release will have such available!

What the plugin does I do not know, as I do not know the plugin.

But I’ve seen this:

Do you know that???

i know - but never used.

Do you know any alternstive, please?


As you say Logging Alert generates a log which by default is written to server.log.
You have two solutions:

  • Configure Rsyslog to read this file and send logs to Graylog (the rsyslog config you provide is not sufficient)
  • Configure Graylog log4j2.xml to send Graylog’s logs directly to Graylog (syslog appender or with the plugin Internal Log). Note: I had some problems with the plugin Internal Log (logs were get twice)

Hi Frantz,

Do you have any example for rsyslog, please?

Thank you !

You can use something like:
local6.* @localhost:5141

Will check It!!

Thank you frantz


My config has been:

  1. I’ve created a new file type “100-graylog.conf”, into the path: /etc/rsyslog.d/
    $InputFileName /var/log/graylog-server/server.log
    $InputFileTag graylog-server
    $InputFileStateFile graylog-server
    $InputFileFacility local6

  2. Edit the file "/etc/rsyslog.conf, and add these lines:
    local6.* @ip_graylog:5141

So, this config works properly!


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.