How to import apache logs to graylog


(gany) #21

Port is not enabled in the server level.

Note : i have changed the port number 1514 to 10514.

image

I have disabled Iptables and selinux.


(Jochen) #22

Maybe you’ve started a Syslog UDP input. The netstat command which is shown on the screenshot only prints TCP sockets.


(gany) #23

Thanks Jochen for your clarification.

Then why rsyslog is not getting imported in Gralog.

vi /etc/rsyslog.d/graylog.conf

$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
. @192.168.216.140:10514;GRAYLOGRFC5424

image

vi /var/log/graylog-server/server.log

Please advise.


(Jochen) #24

Because 10.1.30.90:10514 doesn’t seem to be a valid network socket on the machine running Graylog.

Maybe there’s already another UDP input running on that port.


(gany) #25

I have changed the port number to 1514. The above screenshot involves both Linux and Windows Input. Windows logs does not have any problem. Is it related to bind address where I am using 0.0.0.0 in both Linux and windows inputs?


(Jochen) #26

The error message in the screenshot still says port 10514.

Please attach the current logs of your Graylog node(s) (as text file, not as screenshot) and the complete configuration of rsyslog.

Also see https://github.com/Graylog2/graylog-guide-syslog-linux for configuration instructions.


(gany) #27
password_secret = LuTfOqJLiyQiiEnQwV3bLKCZzut9LDxOuOqqzKLtz3MuxktfvkQpHJWGMJsOPux1KpigtYjIflBWkdCtvq

root_password_sha2 = 7676aaafb027c825bd9abab78b234070e702752f625b752e55

rest_listen_uri = http://192.168.216.140:9000/api/

web_listen_uri = http://192.168.216.140:9000/


(gany) #28

Sorry, I was unable to upload text file that’s why Copied the text file here.


(Jochen) #29

No worries, that’s fine. Unfortunately, it’s the configuration file of Graylog and not of rsyslog.

And now please add some back ticks around it (you can edit your previous post), so that it’s readable. :wink:

See https://community.graylog.org/faq#format-markdown for details.


(gany) #30

Please find the rsyslog config file. Not done any changes in the rsyslog.conf file.

vi /etc/rsyslog.conf

#$ModLoad imudp
#$UDPServerRun 514

#*.* @192.168.216.140:10514;RSYSLOG_SyslogProtocol23Format

vi /etc/rsyslog.d/graylog.conf

$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @192.168.216.140:1514;GRAYLOGRFC5424

Thanks for your suggestion. Now it looks better for reading.


(gany) #31

Hi Jochen,

Do you require rsyslog config from Graylog server or remote client server?


(Jochen) #32

The configuration on the client machine.

Is the Syslog UDP input running on your Graylog node?
If not, what’s in the logs of that Graylog node?


(gany) #33

Yes SYSLOG udp running on Graylog server.

Rsyslog config file which I provided belongs to client server.


(gany) #34

Hello everyone,

I am getting event logs from single Windows machine. When I added second windows machine, it still shows events from previously added server. Please help to add more windows server.


(gany) #35

Hi Jochen,

Please help me to add another windows server (event logs) to graylog.


(Jochen) #36

This is not a personal support site.

If you want to get individual support with guaranteed SLA, you’ll have to buy professional support:
https://www.graylog.org/pricing