Failed to send logs to my graylog in production

Optimus · January 10, 2019, 2:25pm

Hey all,
I set up a graylog in production mode. there are three graylog servers and two nginx loadbalancing server include keepalived in the same both server. after configuration I can not send the device log into my graylog
could you help me please?

konrad · January 10, 2019, 2:31pm

What Graylog Version do you have? What kind of input did you configure? What kind of logs are you trying to send? Please be more specific.

Optimus · January 10, 2019, 2:38pm

I’m using version 2.4.6 of graylog, version 5.2.0 of ES. I configured inputs in udp (see capture)

Optimus · January 10, 2019, 2:44pm

I want to send log via my debian rsyslog. When I check in the logs of two server loadbalancing & failover here is what I am told

Optimus · January 10, 2019, 2:51pm

this my Nginx LB config

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf;


upstream graylogwebcluster {
    ip_hash;
server 192.168.153.101:443 fail_timeout=10s max_fails=3;
    server 192.168.153.102:443 fail_timeout=10s max_fails=3;
    server 192.168.153.103:443 fail_timeout=10s max_fails=3;
}

server {
listen 80;
rewrite ^ https://192.168.153.90$request_uri? permanent;
#root /usr/share/nginx/html;
}

server

{
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/failover-lb2.lan.crt;
ssl_certificate_key /etc/ssl/private/failover-lb2.lan.key;
ssl_session_timeout 5m;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_verify_client off;

#}

server {

listen 80 default_server;

    location / {
proxy_set_header Host $http_host;
  	proxy_set_header X-Forwarded-Host $host;
  	proxy_set_header X-Forwarded-Server $host;
  	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   	proxy_set_header X-Graylog-Server-URL https://graylogwebcluster/api;
    proxy_pass https://graylogwebcluster ;
#rewrite ^/$ http://graylogwebcluster/$request_uri? last;	

	#SSL

proxy_ssl_certificate /etc/ssl/certs/failover-lb2.lan.crt;
proxy_ssl_certificate_key /etc/ssl/private/failover-lb2.lan.key;
proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
proxy_ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

    proxy_ssl_verify        off;
    proxy_ssl_session_reuse on;			
    }
}

}

#Configuration LoadBalancer Collecte LOG UDP Graylog

stream {

Collecte Rsyslog (Linux)

upstream graylog_upstreams {
least_conn;
server 192.168.153.101:8515;
server 192.168.153.102:8515;
server 192.168.153.103:8515;
}

upstream graylog_node_upstreams {
least_conn;
server 192.168.153.101:8514;
server 192.168.153.102:8514;
server 192.168.153.103:8514;
}

Collecte GELF_UDP (Windows) via NXLOG

upstream graylog_udp_log {
least_conn;
server 192.168.153.101:12201;
server 192.168.153.102:12201;
server 192.168.153.103:12201;
}

Collecte GELF_TCP (Windows) via NXLOG

upstream graylog_tcp_log {
least_conn;
server 192.168.153.101:12201;
server 192.168.153.102:12201;
server 192.168.153.103:12201;
}

server {
listen 8514 udp;
proxy_pass graylog_node_upstreams;
proxy_responses 0;
proxy_bind $remote_addr transparent;
}

Linux port Log Listen for clients

server {
listen 8515 udp;
proxy_pass graylog_upstreams;
proxy_responses 0;
proxy_bind $remote_addr transparent;
}

server {
listen 12201 udp;
proxy_pass graylog_udp_log;
proxy_responses 0;
proxy_bind $remote_addr transparent;
}

server {
listen 12201;
proxy_pass graylog_tcp_log;
proxy_responses 0;
proxy_bind $remote_addr transparent;
}
}

konrad · January 10, 2019, 3:20pm

That is quite specific

If you want to send syslog messages to graylog you should use a Syslog UDP Input and not a GELF UDP Input. Perhaps you have a look into http://docs.graylog.org/en/2.4/pages/getting_started/collect.html

Also you should check if there is anything in the graylog logfiles.

system · January 24, 2019, 3:20pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't send rsyslog Graylog Central (peer support)	14	2876	September 9, 2017
Production vs stage vs dev nginx logging Graylog Central (peer support)	6	463	March 26, 2021
Sending Nginx log to graylog Graylog Central (peer support)	9	11764	December 5, 2018
Nginx server not sending logs to graylog Graylog Central (peer support)	1	1363	November 7, 2018
Cannot sending nginx access.log to the graylog Graylog Central (peer support)	4	937	August 10, 2023