Join Graylog and Rsyslog

Hello everyone.

I am beginner with Graylog/mongodb/Elasticsearch and Rsyslog.

But I try by myself to do good things.

Let me explain my context,

I have 4 Virtual Machine :

Graylog :
MongoDB :
Elasticsearch :
Rsyslog :

First , I configured my servers to send Logs too Rsyslog :

[root@graylogv2 ~]# vi /etc/rsyslog.conf

*.*        					@@

Then, the server Rsyslog

[root@rsyslog remotehosts]# vi /etc/rsyslog.conf

# Provides TCP syslog reception

$ModLoad imtcp

$InputTCPServerRun 514

$template RemoteLogsTesting,"/var/log/remotehosts/%HOSTNAME%/%$now%.log"

if $fromhost-ip != '' then -?RemoteLogsTesting

& stop

And that works good :

[root@rsyslog remotehosts]# tree
├── elastic
│   ├── 2018-10-01.log
│   ├── 2018-10-02.log
│   └── 2018-10-03.log
├── graylogv2
│   ├── 2018-10-01.log
│   ├── 2018-10-02.log
│   └── 2018-10-03.log
└── mongov2
    ├── 2018-10-01.log
    ├── 2018-10-02.log
    └── 2018-10-03.log

But now, I want to join Graylog and rsyslog.

This URL works :

I add an imput :

Test_Graylog_1 syslog TCP “Running” on port 1025

But I have an error:

On Rsyslog server I added :

. @@ on rsyslog.conf

And on Graylog I have :

[root@graylogv2 ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0  *               LISTEN      1176/master
tcp        0      0  *               LISTEN      1013/java
tcp        0      0*               LISTEN      1013/java
tcp        0      0    *               LISTEN      1008/sshd

I suppose I forget an important thing,

If any one can help me, that can be nice!

Thank you for reading.

Hey @Arethusa

From your screenshots, I can see that you’re trying to start the Input listening on Port 514 (As that is the default value.)
Ports below 1024 in *nix systems are “privileged ports”, see

This is why you are getting an error when trying to start your Syslog input. If you change the Port from 514 to something >1024, your input should start successfully.

Once you’ve got the input running, update your rsyslog configurations, restart the service and you should start to see messages being received by Graylog.


1 Like


Thank you for your answer.

My imput is on port 1025


Maybe I forgoten some thing ?

Thank you.

Ho, I see, on some configurations I use the port 514 insted of 1025.

I will fix that, I ll back !


You need to configure your Rsyslog server to send logs to Graylog.
Because actually it only stores logs locally.
Try something like:
*.* @@
If you have selinux enabled you can encouter some issues because 1025 is not an authorized port for Rsyslog. You need to tag it syslogd_t to allow this port for Rsyslog.

1 Like

Hello, I already do that:

But me first mistake is to use the bad port as say Ponet

`` `
[root @ graylogv2 ~] # vi /etc/rsyslog.conf

*. * @@ 1025
`` `

Thank you.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.