Failed to send logs to my graylog in production


#1

Hey all,
I set up a graylog in production mode. there are three graylog servers and two nginx loadbalancing server include keepalived in the same both server. after configuration I can not send the device log into my graylog
could you help me please?


(Konrad Merz) #2

What Graylog Version do you have? What kind of input did you configure? What kind of logs are you trying to send? Please be more specific.


#3

I’m using version 2.4.6 of graylog, version 5.2.0 of ES. I configured inputs in udp (see capture)


#4

I want to send log via my debian rsyslog. When I check in the logs of two server loadbalancing & failover here is what I am told


#5

this my Nginx LB config

user nginx;
worker_processes 1;

error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;

events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

access_log  /var/log/nginx/access.log  main;

sendfile        on;
#tcp_nopush     on;

keepalive_timeout  65;

#gzip  on;

include /etc/nginx/conf.d/*.conf;


upstream graylogwebcluster {
    ip_hash;
server 192.168.153.101:443 fail_timeout=10s max_fails=3;
    server 192.168.153.102:443 fail_timeout=10s max_fails=3;
    server 192.168.153.103:443 fail_timeout=10s max_fails=3;
}

server {
listen 80;
rewrite ^ https://192.168.153.90$request_uri? permanent;
#root /usr/share/nginx/html;
}

server

{
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/certs/failover-lb2.lan.crt;
ssl_certificate_key /etc/ssl/private/failover-lb2.lan.key;
ssl_session_timeout 5m;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_prefer_server_ciphers on;
ssl_verify_client off;

#}

server {

listen 80 default_server;

    location / {
proxy_set_header Host $http_host;
  	proxy_set_header X-Forwarded-Host $host;
  	proxy_set_header X-Forwarded-Server $host;
  	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
   	proxy_set_header X-Graylog-Server-URL https://graylogwebcluster/api;
    proxy_pass https://graylogwebcluster ;
#rewrite ^/$ http://graylogwebcluster/$request_uri? last;	

	#SSL

proxy_ssl_certificate /etc/ssl/certs/failover-lb2.lan.crt;
proxy_ssl_certificate_key /etc/ssl/private/failover-lb2.lan.key;
proxy_ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
proxy_ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

    proxy_ssl_verify        off;
    proxy_ssl_session_reuse on;			
    }
}

}

#Configuration LoadBalancer Collecte LOG UDP Graylog

stream {

Collecte Rsyslog (Linux)

upstream graylog_upstreams {
least_conn;
server 192.168.153.101:8515;
server 192.168.153.102:8515;
server 192.168.153.103:8515;
}

upstream graylog_node_upstreams {
least_conn;
server 192.168.153.101:8514;
server 192.168.153.102:8514;
server 192.168.153.103:8514;
}

Collecte GELF_UDP (Windows) via NXLOG

upstream graylog_udp_log {
least_conn;
server 192.168.153.101:12201;
server 192.168.153.102:12201;
server 192.168.153.103:12201;
}

Collecte GELF_TCP (Windows) via NXLOG

upstream graylog_tcp_log {
least_conn;
server 192.168.153.101:12201;
server 192.168.153.102:12201;
server 192.168.153.103:12201;
}

server {
listen 8514 udp;
proxy_pass graylog_node_upstreams;
proxy_responses 0;
proxy_bind $remote_addr transparent;
}

Linux port Log Listen for clients

server {
listen 8515 udp;
proxy_pass graylog_upstreams;
proxy_responses 0;
proxy_bind $remote_addr transparent;
}

server {
listen 12201 udp;
proxy_pass graylog_udp_log;
proxy_responses 0;
proxy_bind $remote_addr transparent;
}

server {
listen 12201;
proxy_pass graylog_tcp_log;
proxy_responses 0;
proxy_bind $remote_addr transparent;
}
}


(Konrad Merz) #6

That is quite specific :slight_smile:

If you want to send syslog messages to graylog you should use a Syslog UDP Input and not a GELF UDP Input. Perhaps you have a look into http://docs.graylog.org/en/2.4/pages/getting_started/collect.html

Also you should check if there is anything in the graylog logfiles.


(system) closed #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.