1. Describe your incident:
I want to send my Graylog logs into itself.
2. Describe your environment:
OS Information:Debian 11.0.12 on Linux 4.19.0-17-amd64
Package Version:Graylog 3.3.14+13e45b7
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
There is a plugin in marketplace, but it has been written for graylog2.
4. How can the community help?
Any ideas would be appreciated.
Hi there
You can do this using rsyslog.d on the Graylog server local OS pretty easily.
There are basic instructions for setting up all sorts of different inputs here:
https://docs.graylog.org/en/4.0/pages/sending_data.html#ingest-data
To do this natively, see the section concerning rsyslog here:
https://docs.graylog.org/en/4.0/pages/sending/syslog.html
First you need to vim /etc/rsyslog.conf , and add the line $ModLoad imfile to the bottom of the Modules section. This loads the module we need for pushing bespoke logs through rsyslog.
Create the file /etc/rsyslog.d/graylog.conf` Contents look like this:
# Now load the external log for Graylog
$InputFileName /var/log/graylog-server/server.log
$InputFileTag graylog
$InputFileStateFile ms
$InputFileSeverity debug
$InputFileFacility local0
$InputRunFileMonitor
local0. @127.0.0.1:1514;RSYSLOG_SyslogProtocol23Format*
# Now load the external log for MongoDB
$InputFileName /var/log/mongodb/mongod.log
$InputFileTag mongodb
$InputFileStateFile ms
$InputFileSeverity debug
$InputFileFacility local1
$InputRunFileMonitor
local1. @127.0.0.1:1514;RSYSLOG_SyslogProtocol23Format*
# Now load the external log for elasticsearch
$InputFileName /var/log/elasticsearch/.log*
$InputFileTag elasticsearch
$InputFileStateFile ms
$InputFileSeverity debug
$InputFileFacility local2
$InputRunFileMonitor
local2. @127.0.0.1:1514;RSYSLOG_SyslogProtocol23Format*
Restart Rsyslog for this to take effect. These logs will now be sent (in this example) to port 1514.
You will need to set the permissions on these logs files in the /var/log folder so that rsyslog has permission to read them.
However. I would recommend you instead install filebeats locally, and configure filebeats to ingest these logs and foward them to Graylog.
Hope that helps.
Hi @tellistone,
Tnx for your answer,
I have followed every stage. But I still didn’t get any results:
Then using chmod I set reading permissions:
sudo chmod ugo+r log
then I reboot the whole server.
Finally, this is my input in graylog:
What is the output of service rsyslog.d status
You should get some kind of error back if rsyslog isn’t runing - doesn’t have permissions to access the logs, or if there is a syntax error in the config file etc
You can test the Graylog input is working by manually sending a message to the input from the terminal
echo “Hello Graylog, please work. Regards, ncmfn” | nc -w 1 -u 127.0.0.1 1514
Hello,
I noticed this in your screenshot.
I’m not 100% sure but I would assume it should have your name of Graylog server and/or IP Address.
Here is example of mine.
I ran service rsyslog status and findout some errors in graylog.conf file.
This is how I changed it, and now it’s working:
replace lines 8, 17, and 26 with
*.*@127.0.0.1:1514;RSYSLOG_SyslogProtocol23Format
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.