Graylog3 internal logs

1. Describe your incident:
I want to send my Graylog logs into itself.

2. Describe your environment:

  • OS Information:Debian 11.0.12 on Linux 4.19.0-17-amd64

  • Package Version:Graylog 3.3.14+13e45b7

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
There is a plugin in marketplace, but it has been written for graylog2.

4. How can the community help?
Any ideas would be appreciated.

Hi there

You can do this using rsyslog.d on the Graylog server local OS pretty easily.

There are basic instructions for setting up all sorts of different inputs here:

To do this natively, see the section concerning rsyslog here:

First you need to vim /etc/rsyslog.conf , and add the line $ModLoad imfile to the bottom of the Modules section. This loads the module we need for pushing bespoke logs through rsyslog.

Create the file /etc/rsyslog.d/graylog.conf` Contents look like this:

# Now load the external log for Graylog
$InputFileName /var/log/graylog-server/server.log
$InputFileTag graylog
$InputFileStateFile ms
$InputFileSeverity debug
$InputFileFacility local0
local0. @;RSYSLOG_SyslogProtocol23Format*

# Now load the external log for MongoDB
$InputFileName /var/log/mongodb/mongod.log
$InputFileTag mongodb
$InputFileStateFile ms
$InputFileSeverity debug
$InputFileFacility local1
local1. @;RSYSLOG_SyslogProtocol23Format*

# Now load the external log for elasticsearch
$InputFileName /var/log/elasticsearch/.log*
$InputFileTag elasticsearch
$InputFileStateFile ms
$InputFileSeverity debug
$InputFileFacility local2
local2. @;RSYSLOG_SyslogProtocol23Format*

Restart Rsyslog for this to take effect. These logs will now be sent (in this example) to port 1514.

You will need to set the permissions on these logs files in the /var/log folder so that rsyslog has permission to read them.

However. I would recommend you instead install filebeats locally, and configure filebeats to ingest these logs and foward them to Graylog.

Hope that helps.


Hi @tellistone,
Tnx for your answer,
I have followed every stage. But I still didn’t get any results:

Then using chmod I set reading permissions:

sudo chmod ugo+r log

then I reboot the whole server.
Finally, this is my input in graylog:

What is the output of service rsyslog.d status

You should get some kind of error back if rsyslog isn’t runing - doesn’t have permissions to access the logs, or if there is a syntax error in the config file etc

You can test the Graylog input is working by manually sending a message to the input from the terminal

echo “Hello Graylog, please work. Regards, ncmfn” | nc -w 1 -u 1514


I noticed this in your screenshot.

I’m not 100% sure but I would assume it should have your name of Graylog server and/or IP Address.
Here is example of mine.

I ran service rsyslog status and findout some errors in graylog.conf file.
This is how I changed it, and now it’s working:
replace lines 8, 17, and 26 with


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.