Join Graylog and Rsyslog


#1

Hello everyone.

I am beginner with Graylog/mongodb/Elasticsearch and Rsyslog.

But I try by myself to do good things.

Let me explain my context,

I have 4 Virtual Machine :

Graylog : 192.168.159.163
MongoDB :192.168.159.165
Elasticsearch : 192.168.159.159
Rsyslog : 192.168.159.166

First , I configured my servers to send Logs too Rsyslog :

[root@graylogv2 ~]# vi /etc/rsyslog.conf

*.*        					@@192.168.159.166:514

Then, the server Rsyslog

[root@rsyslog remotehosts]# vi /etc/rsyslog.conf

# Provides TCP syslog reception

$ModLoad imtcp

$InputTCPServerRun 514

$template RemoteLogsTesting,"/var/log/remotehosts/%HOSTNAME%/%$now%.log"

if $fromhost-ip != '127.0.0.1' then -?RemoteLogsTesting

& stop

And that works good :

[root@rsyslog remotehosts]# tree
.
β”œβ”€β”€ elastic
β”‚   β”œβ”€β”€ 2018-10-01.log
β”‚   β”œβ”€β”€ 2018-10-02.log
β”‚   └── 2018-10-03.log
β”œβ”€β”€ graylogv2
β”‚   β”œβ”€β”€ 2018-10-01.log
β”‚   β”œβ”€β”€ 2018-10-02.log
β”‚   └── 2018-10-03.log
└── mongov2
    β”œβ”€β”€ 2018-10-01.log
    β”œβ”€β”€ 2018-10-02.log
    └── 2018-10-03.log

But now, I want to join Graylog and rsyslog.

This URL works : http://192.168.159.163:9000

I add an imput :

Test_Graylog_1 syslog TCP β€œRunning” on port 1025

But I have an error:

On Rsyslog server I added :

. @@192.168.159.163:1025 on rsyslog.conf

And on Graylog I have :

[root@graylogv2 ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1176/master
tcp        0      0 0.0.0.0:1025            0.0.0.0:*               LISTEN      1013/java
tcp        0      0 192.168.159.163:9000    0.0.0.0:*               LISTEN      1013/java
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1008/sshd

I suppose I forget an important thing,

If any one can help me, that can be nice!

Thank you for reading.


(Jesse Hills) #2

Hey @Arethusa

From your screenshots, I can see that you’re trying to start the Input listening on Port 514 (As that is the default value.)
Ports below 1024 in *nix systems are β€œprivileged ports”, see https://www.staldal.nu/tech/2007/10/31/why-can-only-root-listen-to-ports-below-1024/

This is why you are getting an error when trying to start your Syslog input. If you change the Port from 514 to something >1024, your input should start successfully.

Once you’ve got the input running, update your rsyslog configurations, restart the service and you should start to see messages being received by Graylog.

Thanks.


#3

Hello,

Thank you for your answer.

My imput is on port 1025

Maybe I forgoten some thing ?

Thank you.


#4

Ho, I see, on some configurations I use the port 514 insted of 1025.

I will fix that, I ll back !

Thank.


#5

You need to configure your Rsyslog server to send logs to Graylog.
Because actually it only stores logs locally.
Try something like:
*.* @@192.168.159.163:1025
If you have selinux enabled you can encouter some issues because 1025 is not an authorized port for Rsyslog. You need to tag it syslogd_t to allow this port for Rsyslog.


#6

Hello, I already do that:

But me first mistake is to use the bad port as say Ponet

`` `
[root @ graylogv2 ~] # vi /etc/rsyslog.conf

*. * @@ 192.168.159.166: 1025
`` `

Thank you.