There are very few posts about setting up log forwarding from a FreeBSD system to Graylog. I’t seems that FreeBSD’s default syslog service is incompatible with Graylog? Is this correct?
Simply putting the following into /etc/syslog.conf does not work.
*.* @[HOST]:[PORT]
Neither does adding ;RSYSLOG_SyslogProtocol23Format. Nothing shows up in Graylog.
Check your syslogd running parameter. Check if syslogd is not running with parameter -ss, which disables logging to external syslog.
ps auxw | grep syslog | grep -v grep
Is so, change /etc/rc.conf and remove one -s from running options.
https://www.freebsd.org/cgi/man.cgi?query=syslogd&sektion=8
-s Operate in secure mode. Do not log messages from remote ma-
chines. If specified twice, no network socket will be opened at
all, which also disables logging to remote machines.
I checked and I did not see a -ss. Anyway… I don’t know what happened, but when I checked in the next day I was seeing logs flow in. Maybe I just had to wait. Thanks for the tip though, at least I know what to look for in the future if I run into that specific problem.
I’m very pleased how easy Graylog was to setup on FreeBSD and how well it works out of the box. I hope you continue to support that platform as a tier 1 system.
If you see messages after some time (hours), it’s probably problem with timestamp. Graylog can store messages with timestamp in future, so you can’t see it righ now, but after some time. Graylog stores internally all timestamp in UTC timezone in ElasticSeach, and shows it based on timezone setting in user profile.
Usually it’s problem with wrong timezone setting. Check you timezone setting in FreeBSD server, and also graylog server. If you use graylog server on linux, check command timedactl. If you need to change timezone use command: timedactl set-timezone Europe/Bratislava. Replace Europe/Bratislava witch your real timezone and restart graylog server.
Don’t forgot to also check if your time is synchronized using NTP on graylog server and all sending devices.
Best way to debug if your timestamps is in future is to use Absolute time frame selector and select larger timeframe to future (1 or 2 days ending in future).
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.