Detect which client hasn't send syslog traffic

Hello All,
Can someone recommend or provide guidance as in how to monitor if a client hasn’t send it’s syslog traffic in a while say an hour ? Is it possible via Graylog UI itself or maybe a script that checks every hour ? I know we can check under “sources” page in Graylog but that’s a manual way.

We have a few Linux/Windows clients sending their syslog traffic via UDP 514. The Linux clients use rsyslog package for sending logs. Checking the status if rsyslogd is running on client doesn’t seem to be correct way as the service can even be running but not forwarding any logs.

I was thinking of writing a script in bash that runs tcpdump command every 1 hours and checks the content for each client-ip. But am not sure how to parse the tcpdump message and then detect/alert which client hasnt reported in a while.

the other way would be to have a list of known clients, check with a script against the Graylog API how old the latest message is you have received from this source.

Future versions of Graylog will have the ability to alert on such.

2 Likes

tcpdump is not a good idea.
you can ask graylog via API. use it.
Jan wrote a good idea.
I have another one. Ask a list about the sources from graylog eg. last day, store it, and make a diff with the previous one. If the previous contains one what not in the new…

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.