I have some questions about default field 'source'


(Zhou Mfk) #1

I understand the field source is the IP address of the sending message to graylog.
My graylog arch is as follows:
3 nodes graylog as a cluster
3 nodes elasticsearch as a cluster

inputs graylog cluster use tcp . I use rsyslog sent message to graylog.

I question about field source When I use HAProxy proxy inputs port. The field source value is HAProxy‘s IP .
zls-183 is a hostname use rsyslog sent message to graylog.
10.201.240.3 is haproxy ip.
I think the field source value is hostname/ip(zls-183) don’t HAProxy’s IP. Is there any way to solve it?


(Jochen) #2

What type of input are you using in Graylog?
How exactly did you configure your rsyslog daemons?


(Zhou Mfk) #3

input is tcp

rsyslog configure is:
a) /etc/rsyslog.conf

# cat ../rsyslog.conf | grep -Ev "^$|^#"
$WorkDirectory /var/lib/rsyslog
module(load="imuxsock") # provides support for local system logging (e.g. via logger command)
module(load="imklog")   # provides kernel logging support (previously done by rklogd)
module(load="imfile")
$template IpTemplate,"%HOSTNAME% %fromhost-ip%%syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none;local2.none               /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  /var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

b) # cat /etc/rsyslog.d/graylog.conf

ruleset(name="graylog") {
        action(type="omfwd"
            Protocol="tcp"
            Target="10.201.240.4"
            Template="IpTemplate"
            Port="1111"  # This is a proxy prot for haproxy
            queue.type="linkedlist"
            queue.filename="q_fwd"
            queue.timeoutenqueue="0"
            queue.size="8000000"
            queue.highwatermark="5000000"
            queue.lowwatermark="4000000"
            queue.discardmark="7200000"
            queue.maxdiskspace="10g"
            queue.saveonshutdown="on"
            queue.dequeuebatchsize="10240"
            queue.workerThreads="4"
            queue.workerThreadMinimumMessages="800000"
        )
    stop
}

input(type="imfile"
    File="/root/nginx_test.log"  # This is a test log file
    Tag="ngx_test"
    PersistStateInterval="1000"
    reopenOnTruncate="on"
    addMetadata="on"
    Ruleset="graylog"
)

(Zhou Mfk) #4

In this picture the source: 10.201.240.3 is a node for graylog cluster. The other two nodes are:10.201.240.1 and 10.201.240.2

haproxy virtual IP address is :10.201.240.4 .use keepalived


(Zhou Mfk) #5

The current virtual IP 10.201.240.4 and 10.201.240.3 are on the same server。


(Jochen) #6

See https://github.com/Graylog2/graylog-guide-syslog-linux/blob/master/README.md for information about how to configure rsyslog (especially the required template) to work with Graylog.

If you’re not using a RFC 5424-compatible template, you’ll have to use extractors or processing pipeline rules to extract the information from the syslog messages in a structured manner.