Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
I need the ability to log access attempts made against the graylog web interface for ISO cert purposes. By default, it does not seem Graylog does this. I’ve attempted the solution found here.. Unfortunately, I’ve had no luck logging the information or getting the local server.log file into graylog.
2. Describe your environment:
-
OS Information:
Ubuntu 22.04 in a Linux container -
Package Version:
-
Service logs, configurations, and environment variables:
<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
<Appenders>
<RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
<PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
<Policies>
<SizeBasedTriggeringPolicy size="50MB"/>
</Policies>
<DefaultRolloverStrategy max="10" fileIndex="min"/>
</RollingFile>
<!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
<Memory name="graylog-internal-logs" bufferSize="500"/>
</Appenders>
<Loggers>
<!-- RestAccessLogFilter -->
<Logger name="org.graylog2.rest.accesslog" level="debug" additivity="false">
<AppenderRef ref="rolling-file" level="debug"/>
<AppenderRef ref="STDOUT" level="info"/>
</Logger>
<!-- Application Loggers -->
<Logger name="org.graylog2" level="info"/>
<Logger name="com.github.joschi.jadconfig" level="warn"/>
<!-- Prevent DEBUG message about Lucene Expressions not found. -->
<Logger name="org.elasticsearch.script" level="warn"/>
<!-- Disable messages from the version check -->
<Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
<!-- Silence chatty natty -->
<Logger name="com.joestelmach.natty.Parser" level="warn"/>
<!-- Silence Kafka log chatter -->
<Logger name="org.graylog.shaded.kafka09.log.Log" level="warn"/>
<Logger name="org.graylog.shaded.kafka09.log.OffsetIndex" level="warn"/>
<Logger name="org.apache.kafka.clients.consumer.ConsumerConfig" level="warn"/>
<!-- Silence useless session validation messages -->
<Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
<Root level="warn">
<AppenderRef ref="rolling-file"/>
<AppenderRef ref="graylog-internal-logs"/>
</Root>
</Loggers>
</Configuration>
^Relevant portion in Bold
.Conf file in rsyslog.d subdirectory
#/etc/rsyslog.conf
$ModLoad imfile
$InputFileName /var/log/graylog-server/server.log
$InputFileTag graylog-server
$InputFileStateFile stat-graylog-server
$InputFileSeverity info
$InputFileFacility local3
$InputRunFileMonitor
local3.* action(type="omfwd" target="192.168.128.245" port="56234" protocol="udp" action.resumeRetryCount="100" queue.type="linkedlist" queue.size="10000" template="RSYSLOG_SyslogProtocol23Format")
Input even says messages are coming in:
But when you click on “Show received messages” there is nothing displayed
3. What steps have you already taken to try and solve the problem?
Hours of google-foo
4. How can the community help?
Tell me what I am doing wrong? Is there a better way?
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]