Forwarding syslogs from syslog-ng server to Graylog

Graylog Central (peer support)
1

1. Describe your incident:
I am setting up a syslog-ng server to forward received syslogs to Graylog. Graylog can receive forwarded syslogs, but marking the source as the syslog-ng server, not the real host who generates the syslogs originally.

2. Describe your environment:

  • OS Information:
    Red Hat, Inc. 11.0.15 on Linux 4.18.0-348.23.1.el8_5.x86_64
  • Package Version:
    Graylog 4.2.9+f0d8298
  • Service logs, configurations, and environment variables:

Syslog-ng version 3.5 configuration:

options {
use_fqdn(yes);
use_dns(yes);
dns_cache(yes);
dns-cache-expire(3600);
dns-cache-expire-failed(60);
dns-cache-size(1007);
keep_hostname(yes);
#long_hostnames(no);
chain_hostnames (no);
#obsoleted? sync(1);
log_fifo_size(8192);
};

source s_remote {
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514));
};

destination d_graylog { syslog(“172.18.1.4” transport (udp) port(20828));};

log { source(s_remote); filter(f_remote_access); destination(d_graylog); };

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

Am I missing something on Graylog side, or Syslog-ng side? Thanks.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hello,

Can you show message/s received By Graylog from Syslog-ng server.

3

Screen Shot 2022-06-02 at 9.48.23 PM
Screen Shot 2022-06-02 at 9.48.23 PM2706×696 115 KB

4

In this syslog message, the source IP is 172.18.1.10, which is the syslog-ng server; and the device generated syslog originally is sxxx.net.uoguelph.ca.

5

Hello,

I understand now. Quick question, I see your using RawPlaintext UDP with port 8514. I 'm not seeing that port on you configuration above?

Have you tried to use Syslog UDP input? If so did you get the same out come?

6

@UoGuelph

After read up-on syslog-ng there was a statement made awhile back using GELF input which is native to Graylog.

The reason for this was I was thinking if a different input could sort this out ( create that field) or may need to create an Extractor/Pipeline so it places that messages source under a new field.

7

Yes, I tried Syslog UDP first, then tried RawPlaintext UDP, same result.

The traffic is from the syslog-ng server (172.18.1.10), which is right, but how Graylog knows which syslogs are forwarded, and which ones are generated from the source?

8

@UoGuelph

I’m not sure if you caught this post.

Its the type of input used.

9

Version 3.13 of syslog-ng introduced a graylog2() destination and a GELF (Graylog Extended Log Format) template to make sending syslog messages to Graylog easier.

We are running syslog-ng 3.5, so an upgrade is required.

I am also thinking “create an Extractor/Pipeline so it places that messages source under a new field”.

10

Probably you best bet right now.

11

Might want to check this post out.