I’m trying to forward logs from Graylog to another syslog server. Can the Outputs be used for this purpose? If so a follow-up question. I noticed that my outputs only give me two options, stdout and gelf output. Am I missing some options, such as the ones mentioned here, specifically operations TCP Raw/Plaintext output, and Operations TCP Syslog Output, or is this completely different?
Currently running Graylog 5.0 on ubuntu.
Thanks in advance.
You definitely can forward syslog, but it requires either an operations or security commercial license. If you are using the free commercial version (less than 2 GB), you have this feature available to you. It’s called an Output Framework Forwarder. In order for you to use it, you must enable the “store full message” tickbox on the GL input to which you are sending the syslog messages. You will then forward that field in its entirety to the next destination. That field contains the entire packet that was originally received, and will appear to have come from the original source device, not from Graylog.
The open source Syslog output plugin works well for me in Graylog 4, not sure if it’s compatible with Graylog 5 though.
We are using the commercial version. And there is very specific data that we are trying to send. If that specific data is less than 2GB a day, would we be able to send that, or are you saying 2GB total?
Thanks
There is no difference between the two. You can collect up to 2GB/day. All forwarded data goes into ES/OS as well, so the 2GB limit applies there too. If you get a larger license, you can collect and/or forward more data.
In short, you can’t set it up to act as a forwarder only, one that does not collect the data as well. Was that your original intent?
We collect a lot more than the 2GB a day unfortunately, but stream that we wish to forward to another syslog server is less than the 2GB a day.
Do you know what would be the cheapest license to allow us to accomplish this?
Is there any other way of accomplishing this other than purchasing the commercial license?
Hey,
You need to drop what you dont need prior to Graylog ingesting those logs, this would be the way to go.
Or use the free Output version STDOUT & GELF outputs.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
