Hi there,
I hate having to resort to posting on the forums looking for help but I’m absoloutely stumped and can’t work out where to go from here.
This was all setup on a completely fresh VM running Centos7.
I have a file that is sitting locally on the graylog server, this is updated from an external source every 12 hours, I want to push this into graylog so that I can analyse the messages easily.
I’ve installed graylog sidecar as per the documentation here - https://docs.graylog.org/en/3.3/pages/sidecar.html
I’ve used the default configuration values in the sidecar.yml file and have only edited the config to add my API key and some other host details along with:
# Default: empty list
list_log_files: [/root/Sophos-Central-SIEM-Integration/logs/]
I’ve then disabled and unconfigured the default nxlog service:
$ sudo service nxlog stop
$ sudo chkconfig --del nxlog
$ sudo gpasswd -a nxlog root
$ sudo chown -R nxlog.nxlog /var/spool/nxlog
I have created the GELF_TCP input and I can see that I have an active connection from my sidecar instance:
I have created a new log collector (nxlog_testcollect) by cloning the default nxlog log collector, the parameters are all left as default, the template has been updated like so (I commented out the syslogExt extension as a test):
define ROOT /usr/bin
<Extension gelfExt>
Module xm_gelf
# Avoid truncation of the short_message field to 64 characters.
ShortMessageLength 65536
</Extension>
#<Extension syslogExt>
# Module xm_syslog
#</Extension>
User nxlog
Group nxlog
Moduledir /usr/lib/nxlog/modules
CacheDir /var/spool/nxlog/data
PidFile /var/run/nxlog/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
<Input file>
Module im_file
File '/root/Sophos-Central-SIEM-Integration/logs/*.txt'
PollInterval 1
SavePos True
ReadFromLast True
Recursive False
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
</Input>
#<Input syslog-udp>
# Module im_udp
# Host 127.0.0.1
# Port 514
# Exec parse_syslog_bsd();
#</Input>
<Output gelf>
Module om_tcp
Host 127.0.0.1
Port 12201
OutputType GELF_TCP
<Exec>
# These fields are needed for Graylog
$gl2_source_collector = '${sidecar.nodeId}';
$collector_node_id = '${sidecar.nodeName}';
</Exec>
</Output>
<Route route-1>
Path file => gelf
</Route>
#<Route route-2>
# Path syslog-udp => gelf
#</Route>
I’ve then created a new configuration that uses the nxlog_testcollect collector and is configured as so:
define ROOT /usr/bin
<Extension gelfExt>
Module xm_gelf
# Avoid truncation of the short_message field to 64 characters.
ShortMessageLength 65536
</Extension>
#<Extension syslogExt>
# Module xm_syslog
#</Extension>
User nxlog
Group nxlog
Moduledir /usr/lib/nxlog/modules
CacheDir /var/spool/nxlog/data
PidFile /var/run/nxlog/nxlog.pid
LogFile /var/log/nxlog/nxlog.log
LogLevel INFO
<Input file>
Module im_file
File '/root/Sophos-Central-SIEM-Integration/logs/*.txt'
PollInterval 1
SavePos True
ReadFromLast True
Recursive False
RenameCheck False
Exec $FileName = file_name(); # Send file name with each message
</Input>
#<Input syslog-udp>
# Module im_udp
# Host 127.0.0.1
# Port 514
# Exec parse_syslog_bsd();
#</Input>
<Output gelf>
Module om_tcp
Host 127.0.0.1
Port 12201
OutputType GELF_TCP
<Exec>
# These fields are needed for Graylog
$gl2_source_collector = '${sidecar.nodeId}';
$collector_node_id = '${sidecar.nodeName}';
</Exec>
</Output>
<Route route-1>
Path file => gelf
</Route>
#<Route route-2>
# Path syslog-udp => gelf
#</Route>