Forwarding syslogs from syslog-ng server to Graylog

1. Describe your incident:
I am setting up a syslog-ng server to forward received syslogs to Graylog. Graylog can receive forwarded syslogs, but marking the source as the syslog-ng server, not the real host who generates the syslogs originally.

2. Describe your environment:

  • OS Information:
    Red Hat, Inc. 11.0.15 on Linux 4.18.0-348.23.1.el8_5.x86_64
  • Package Version:
    Graylog 4.2.9+f0d8298
  • Service logs, configurations, and environment variables:

Syslog-ng version 3.5 configuration:

options {
use_fqdn(yes);
use_dns(yes);
dns_cache(yes);
dns-cache-expire(3600);
dns-cache-expire-failed(60);
dns-cache-size(1007);
keep_hostname(yes);
#long_hostnames(no);
chain_hostnames (no);
#obsoleted? sync(1);
log_fifo_size(8192);
};

source s_remote {
udp(ip(0.0.0.0) port(514));
tcp(ip(0.0.0.0) port(514));
};

destination d_graylog { syslog(“172.18.1.4” transport (udp) port(20828));};

log { source(s_remote); filter(f_remote_access); destination(d_graylog); };

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

Am I missing something on Graylog side, or Syslog-ng side? Thanks.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hello,

Can you show message/s received By Graylog from Syslog-ng server.

In this syslog message, the source IP is 172.18.1.10, which is the syslog-ng server; and the device generated syslog originally is sxxx.net.uoguelph.ca.

Hello,

I understand now. Quick question, I see your using RawPlaintext UDP with port 8514. I 'm not seeing that port on you configuration above?

Have you tried to use Syslog UDP input? If so did you get the same out come?

@UoGuelph

After read up-on syslog-ng there was a statement made awhile back using GELF input which is native to Graylog.

The reason for this was I was thinking if a different input could sort this out ( create that field) or may need to create an Extractor/Pipeline so it places that messages source under a new field.

Yes, I tried Syslog UDP first, then tried RawPlaintext UDP, same result.

The traffic is from the syslog-ng server (172.18.1.10), which is right, but how Graylog knows which syslogs are forwarded, and which ones are generated from the source?

@UoGuelph

I’m not sure if you caught this post.

Its the type of input used.

Version 3.13 of syslog-ng introduced a graylog2() destination and a GELF (Graylog Extended Log Format) template to make sending syslog messages to Graylog easier.

We are running syslog-ng 3.5, so an upgrade is required.

I am also thinking “create an Extractor/Pipeline so it places that messages source under a new field”.

Probably you best bet right now.

Might want to check this post out.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.