Join Graylog and Rsyslog

Hello everyone.

I am beginner with Graylog/mongodb/Elasticsearch and Rsyslog.

But I try by myself to do good things.

Let me explain my context,

I have 4 Virtual Machine :

Graylog : 192.168.159.163
MongoDB :192.168.159.165
Elasticsearch : 192.168.159.159
Rsyslog : 192.168.159.166

First , I configured my servers to send Logs too Rsyslog :

[root@graylogv2 ~]# vi /etc/rsyslog.conf

*.*        					@@192.168.159.166:514

Then, the server Rsyslog

[root@rsyslog remotehosts]# vi /etc/rsyslog.conf

# Provides TCP syslog reception

$ModLoad imtcp

$InputTCPServerRun 514

$template RemoteLogsTesting,"/var/log/remotehosts/%HOSTNAME%/%$now%.log"

if $fromhost-ip != '127.0.0.1' then -?RemoteLogsTesting

& stop

And that works good :

[root@rsyslog remotehosts]# tree
.
├── elastic
│   ├── 2018-10-01.log
│   ├── 2018-10-02.log
│   └── 2018-10-03.log
├── graylogv2
│   ├── 2018-10-01.log
│   ├── 2018-10-02.log
│   └── 2018-10-03.log
└── mongov2
    ├── 2018-10-01.log
    ├── 2018-10-02.log
    └── 2018-10-03.log

But now, I want to join Graylog and rsyslog.

This URL works : http://192.168.159.163:9000

I add an imput :

Test_Graylog_1 syslog TCP “Running” on port 1025

But I have an error:

graylog3.png1306×841 53.5 KB

On Rsyslog server I added :

. @@192.168.159.163:1025 on rsyslog.conf

And on Graylog I have :

[root@graylogv2 ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1176/master
tcp        0      0 0.0.0.0:1025            0.0.0.0:*               LISTEN      1013/java
tcp        0      0 192.168.159.163:9000    0.0.0.0:*               LISTEN      1013/java
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1008/sshd

I suppose I forget an important thing,

If any one can help me, that can be nice!

Thank you for reading.

Hey @Arethusa

From your screenshots, I can see that you’re trying to start the Input listening on Port 514 (As that is the default value.)
Ports below 1024 in *nix systems are “privileged ports”, see https://www.staldal.nu/tech/2007/10/31/why-can-only-root-listen-to-ports-below-1024/

This is why you are getting an error when trying to start your Syslog input. If you change the Port from 514 to something >1024, your input should start successfully.

Once you’ve got the input running, update your rsyslog configurations, restart the service and you should start to see messages being received by Graylog.

Thanks.

Hello,

Thank you for your answer.

My imput is on port 1025

Maybe I forgoten some thing ?

Thank you.

Ho, I see, on some configurations I use the port 514 insted of 1025.

I will fix that, I ll back !

Thank.

You need to configure your Rsyslog server to send logs to Graylog.
Because actually it only stores logs locally.
Try something like:
*.* @@192.168.159.163:1025
If you have selinux enabled you can encouter some issues because 1025 is not an authorized port for Rsyslog. You need to tag it syslogd_t to allow this port for Rsyslog.

Hello, I already do that:

But me first mistake is to use the bad port as say Ponet

`` `
[root @ graylogv2 ~] # vi /etc/rsyslog.conf

*. * @@ 192.168.159.166: 1025
`` `

Thank you.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.