Can someone recommend or provide guidance as in how to monitor if a client hasn’t send it’s syslog traffic in a while say an hour ? Is it possible via Graylog UI itself or maybe a script that checks every hour ? I know we can check under “sources” page in Graylog but that’s a manual way.
We have a few Linux/Windows clients sending their syslog traffic via UDP 514. The Linux clients use rsyslog package for sending logs. Checking the status if rsyslogd is running on client doesn’t seem to be correct way as the service can even be running but not forwarding any logs.
I was thinking of writing a script in bash that runs tcpdump command every 1 hours and checks the content for each client-ip. But am not sure how to parse the tcpdump message and then detect/alert which client hasnt reported in a while.