How to receive Logs from Nodes

Graylog Central (peer support)
, , , ,
1

1. Describe your incident:
I need to set up GrayLog for my apprentice ship. So its just for documentation and skill proofing purposes. I have set up the GUI and now have 3 simple Debian systems wich I want to collect some kind of logs from. Doesnt matter wich. I just want the process to be automatic and have some logs show up in the stream.

2. Describe your environment:

  • OS Information:
    GrayLog Machine: Debian

3 other Debian machines to collect logs from

  • Service logs, configurations, and environment variables:

any please

3. What steps have you already taken to try and solve the problem?

set up the GrayLog Master(?) Server with the WebGUI, port 9000
checked the Debian VMs, they are in the same subnet and I can reach them from both ends

4. How can the community help?

Explain to me if i missunderstand something basic. I thought it’s like this: You set up 1 VM being the GrayLog “Master” and then you can collect the Logs from other devices being the “slaves”. I could imagine using agents or some kinds, like its done with monitoring. I have read the manual but don’t really understand how I can get my remote log inputs.

I used:

echo -n ‘{ “version”: “1.1”, “host”: “example.org”, “short_message”: “A short message”, “level”: 5, “_some_info”: “foo” }’ | nc -w1 -u 172.X.X.X 12201

That manual command worked and I got some entries.

2

Yes you normally need to run agents to collect logs from computers, normally beats or nxlog.

Simplest thing is probably to install graylog sidecar and use an auditbeat configuration (which is bundled in the sidecar install) Graylog Sidecar

You aldo then need to make sure you have a beats input to accept the logs.

1 Like
3

Hey, thanks so far. I have read in the manual that I should configure something in the syslog.conf or rsyslog something. ChatGPT told me, that the GrayLog Server needs to listen on 514 and then I need to configure the slaves with some kind of log collection tool. What do you say to that?

sidecar, beats and nxlog sound intimidating to be honest. I want the simplest and most common way.

4

You can do it that way, although ports below 1024 can have problems, so you may want to use 1514. The problem will be rsyslog gives you just the message field, so you then need to parse it. If you use auditbeat it breaks out all the fields for you.

1 Like
5

Thanks again. So now I use port 1514 and I can send messages from multipile nodes like ILO Server and even the one debian machine I want the logs from. Except that it doesnt receive my logs automatically, it only receives the echo input i give the shell.

Here is what I added to my rsyslog.conf:

.@172.X.X.X:1514;RSYSLOG_SyslogProtocol23Format
.@@172.X.X.X:1514;RSYSLOG_SyslogProtocol23Format
(IP of my graylog)

Deamon reload, Restartet rsyslog
Checked syslog with tail -f and it has new entries, but the greylog machine does not show anything new.

6

What kind of inout do you have setup, can you post a picture of the settings of it.

7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.