Config RHEL8 rsyslog to send a copy of logs to graylog

Graylog Central (peer support)
1

Hi Forum,

i set up a graylog server, working probably fine. it still lacks logs that are sent to it, and there is my problem

i need to use the logs from the RHEL8 test machines to get useful output to convince people here to use graylog, but there are also the testers working constantly on this machines and needing them.
so i tried to find a configuration for rsyslog where it does not just send the logs to a remote server, that is easy and 1000 times done… i want the logs to remain where they are and send a COPY to graylog.

i just cannot seem to find an answer to that, i have a feeling meanwhile rsyslog is not capable of that…
or there is an elephant in the room that i dont see, so nobody mentions it thinking everybody would get that anyway.

can anybody give me an answer to that?

greetings
alex

2

The two people mostly use to copy to Graylog are ElasticSearch Beats or NXlog to ship pretty much anything you want into to Graylog. All the docs for that are right in those links. The nice thing about using them is you can manage consistent configurations of them via Graylog’s Sidecar

Let us know what direction you go!

1 Like
3

Hey @goorooj

I have to agree with @tmacgbay beeat /nxlog would be the way to go. For exeample on the nxlog tip i can route to two different servers,

Two inputs, notice the input names.

<Input stream-01>
    Module       im_file
    FILE         "/var/log/streams/*.json"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    #Exec  $Message = $raw_event;
 </Input>
<Input stream-02>
    Module       im_file
    FILE         "/var/log/streams/*.json"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    #Exec  $Message = $raw_event;
 </Input>

Two outputs

<Output  pizza-hut>
    Module      om_udp
    Host        pizza-hut.com
    Port        51411    
</Output>

<Output  papa-johns>
    Module      om_udp
    Host        papa-johns.com
    Port        51422    
</Output>

Now create you routes

<Route>
    Path        stream-01 => pizza-hut
</Route>
<Route>
    Path        stream-02 => papa-johns
</Route>

should be good.

1 Like
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.