Log rotation of Graylog restaccess.log

Graylog Central (peer support)
1

Hi

I have enabled logging of the api access so I can use fail2ban to block unauthorised access to graylog, I followed the below guide, but it does not cover log rotation.
https://docs.graylog.org/en/4.0/pages/secure/sec_log_user_activity.html?highlight=debug#configuring-the-access-log
I have tried changing the config to be similar the that of the server.log but it just stops logging so the syntax must be wrong, anyone know how to rotate this log via log4j2.xml ?

I have tried the below

<Appenders>
	    <!-- Simple appender that writes access log to specified file -->
        <RollingFile name="RestAccessLog" fileName="/var/log/graylog-server/restaccess.log" append="true">
            <PatternLayout pattern="%d %-5p: %c - %m%n"/>
			<Policies>
                <SizeBasedTriggeringPolicy size="50MB"/>
            </Policies>
        </RollingFile>	
        <RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
            <Policies>
                <SizeBasedTriggeringPolicy size="50MB"/>
            </Policies>
            <DefaultRolloverStrategy max="10" fileIndex="min"/>
        </RollingFile>

Any one know how to do this ?

Thanks

2

Any thoughts on this anyone?

Iv tried using log rotate demon in Linux as well, and also wrote my own script, but both ways, once the log is rotated graylog does not create a new one (or write to a new one iv created), the graylog service has to be restarted to get it working again.

is it possible to rotate it in the below file as the server.log file does ?

/etc/graylog/server/log4j2.xml

I really need to resolve this as it creates 200mb of logs a day, and the file is getting way to big.

Thanks

3

Hi all,

In case it helps anyone else in future using the restaccess.log to see what IP addresses are accessing the REST API in the future, I figured this out thanks to a lot of googling and mainly this post:

that

I needed the filePattern="/var/log/graylog-server/restaccess.log.%i.gz"> on the end

specifically the “%i”

so my xml now looks like this and both logs rotate …

<?xml version="1.0" encoding="UTF-8"?>
<Configuration packages="org.graylog2.log4j" shutdownHook="disable">
    <Appenders>
	    <!-- Simple appender that writes access log to specified file -->
        <RollingFile name="RestAccessLog" fileName="/var/log/graylog-server/restaccess.log" filePattern="/var/log/graylog-server/restaccess.log.%i.gz">
            <PatternLayout pattern="%d %-5p: %c - %m%n"/>
			<Policies>
                <SizeBasedTriggeringPolicy size="50MB"/>
            </Policies>
            <DefaultRolloverStrategy max="10" fileIndex="min"/>
        </RollingFile>	
        <RollingFile name="rolling-file" fileName="/var/log/graylog-server/server.log" filePattern="/var/log/graylog-server/server.log.%i.gz">
            <PatternLayout pattern="%d{yyyy-MM-dd'T'HH:mm:ss.SSSXXX} %-5p [%c{1}] %m%n"/>
            <Policies>
                <SizeBasedTriggeringPolicy size="50MB"/>
            </Policies>
            <DefaultRolloverStrategy max="10" fileIndex="min"/>
        </RollingFile>
        <!-- Internal Graylog log appender. Please do not disable. This makes internal log messages available via REST calls. -->
        <Memory name="graylog-internal-logs" bufferSize="500"/>	
    </Appenders>
    <Loggers>
	    <!-- RestAccessLogFilter -->
        <Logger name="org.graylog2.rest.accesslog" level="debug" additivity="false">
                <AppenderRef ref="RestAccessLog" level="debug"/>
                <AppenderRef ref="STDOUT" level="info"/>
        </Logger>
        <!-- Application Loggers -->
        <Logger name="org.graylog2" level="info"/>
        <Logger name="com.github.joschi.jadconfig" level="warn"/>
        <!-- Prevent DEBUG message about Lucene Expressions not found. -->
        <Logger name="org.elasticsearch.script" level="warn"/>
        <!-- Disable messages from the version check -->
        <Logger name="org.graylog2.periodical.VersionCheckThread" level="off"/>
        <!-- Silence chatty natty -->
        <Logger name="com.joestelmach.natty.Parser" level="warn"/>
        <!-- Silence Kafka log chatter -->
        <Logger name="kafka.log.Log" level="warn"/>
        <Logger name="kafka.log.OffsetIndex" level="warn"/>
        <Logger name="org.apache.kafka.clients.consumer.ConsumerConfig" level="warn"/>
        <!-- Silence useless session validation messages -->
        <Logger name="org.apache.shiro.session.mgt.AbstractValidatingSessionManager" level="warn"/>
        <Root level="warn">
            <AppenderRef ref="rolling-file"/>
            <AppenderRef ref="graylog-internal-logs"/>
        </Root>
    </Loggers>
</Configuration>
2 Likes
4

kudos for figuring it out and for sharing… I’m sure it’ll help someone down the road.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.