Config RHEL8 rsyslog to send a copy of logs to graylog

goorooj · January 22, 2023, 9:41pm

Hi Forum,

i set up a graylog server, working probably fine. it still lacks logs that are sent to it, and there is my problem

i need to use the logs from the RHEL8 test machines to get useful output to convince people here to use graylog, but there are also the testers working constantly on this machines and needing them.
so i tried to find a configuration for rsyslog where it does not just send the logs to a remote server, that is easy and 1000 times done… i want the logs to remain where they are and send a COPY to graylog.

i just cannot seem to find an answer to that, i have a feeling meanwhile rsyslog is not capable of that…
or there is an elephant in the room that i dont see, so nobody mentions it thinking everybody would get that anyway.

can anybody give me an answer to that?

greetings
alex

tmacgbay · January 23, 2023, 2:23pm

The two people mostly use to copy to Graylog are ElasticSearch Beats or NXlog to ship pretty much anything you want into to Graylog. All the docs for that are right in those links. The nice thing about using them is you can manage consistent configurations of them via Graylog’s Sidecar

Let us know what direction you go!

gsmith · January 24, 2023, 2:32am

Hey @goorooj

I have to agree with @tmacgbay beeat /nxlog would be the way to go. For exeample on the nxlog tip i can route to two different servers,

Two inputs, notice the input names.

<Input stream-01>
    Module       im_file
    FILE         "/var/log/streams/*.json"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    #Exec  $Message = $raw_event;
 </Input>
<Input stream-02>
    Module       im_file
    FILE         "/var/log/streams/*.json"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    #Exec  $Message = $raw_event;
 </Input>

Two outputs

<Output  pizza-hut>
    Module      om_udp
    Host        pizza-hut.com
    Port        51411    
</Output>

<Output  papa-johns>
    Module      om_udp
    Host        papa-johns.com
    Port        51422    
</Output>

Now create you routes

<Route>
    Path        stream-01 => pizza-hut
</Route>
<Route>
    Path        stream-02 => papa-johns
</Route>

should be good.

system · February 7, 2023, 2:32am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't send rsyslog Graylog Central (peer support)	14	2864	September 9, 2017
Send data with rsyslog Graylog Central (peer support)	7	4298	September 3, 2019
Rsyslog.conf on Graylog Server? Graylog Central (peer support)	2	1271	August 22, 2018
How do I configure rsyslog to send logs from a specific program to a remote syslog server? Graylog Central (peer support) sidecar	3	5899	October 2, 2020
Rsyslog only sending logs on restart Graylog Central (peer support)	2	761	September 29, 2021

Config RHEL8 rsyslog to send a copy of logs to graylog

Related topics