Mongodb log not sent to graylog

Hello all.

I am using ubuntu 20.04, graylog 4.2.6 and mongodb 3.6.8.

I have set the mongodb log to be sent to syslog, but I can’t check the input.

$InputFileName /var/log/mongodb/mongodb.log
$InputFileTag MongoLog:
$InputFileStateFile info.statefile
$InputFileFacility local4
$InputFileSeverity info
$InputRunFileMonitor

local4.*                        @server-ip:port

This is the conf in rsyslog.
I don’t think the input is wrong.

I would like to send it to rsyslog if possible, am I missing something in my setup?

Hey @pat-bung

Have you tried this?

*.* @graylog_server:5140 //UPD connection
*.* @@Graylog_server:5140 //TCP connection

already sending one syslog.
*.info;mail.none;authpriv.none;cron.none @server-ip:syslog-port
Is it ok to set it as a duplicate?

@pat-bung

I’ll be honest, I haven’t touch Rsyslog in a few. My setup was normally collect all my data and configured it to send once.

Example of my old one.

#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

kern.debug /var/log/firewall.log


# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none                /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  -/var/log/maillog


# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 :omusrmsg:*

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

##Enable sending of logs over UDP add the following line:

*.* @192.168.0.101:5140


##Enable sending of logs over TCP add the following line:

*.* @@192.168.0.101:5140

##Set disk queue when rsyslog server will be down:

$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

Give it a few, maybe some one else here has a better example.
You could check you Firewall to make sure those ports are open, and if your using ports above 1024.

I am also set up to send all logs at once like you.

*.info;mail.none;authpriv.none;cron.none @server-ip:syslog-port

It seems to be the setting mentioned above.

But apart from this I want to send the mongodb logs to rsyslog using a different port.
On the other server I set up, I set rsyslog to send syslog and mariadb log separately, and it works without any problems.

The mongodb input shows only one log at first, and nothing is received after that…

OPTIONS sip:100@server-ip SIP/2.0
Via: SIP/2.0/UDP another-ip:5068;branch=z9hG4bK-608441588;rport
Content-Length: 0
From: "sipvicious"<sip:100@1.1.1.1>;tag=3331663732336535303435310132373335333632393938
Accept: application/sdp
User-Agent: Trixbox
To: "sipvicious"<sip:100@1.1.1.1>
Contact: sip:100@another-ip:5068
CSeq: 1 OPTIONS
Call-ID: 591691810654321255513199
Max-Forwards: 70

My guess is that this is not a proper mongo log.
I don’t know why the hell you’re doing this…

Just an idea, you can use Rsyslog for your mail and install Nxlog for MongoDb logs.
In my lab I have two different log shippers install on one server for testing.

There were a couple reason why I stopped using Rsyslog , specially when I need to use TCP/TLS for INPUT connection.

Here was an old post of mine

• Configuring Rsyslog

EDIT: That looks like a mail log.

Thank you for your response.
But I noticed a while ago that the mongo log only has a simple access log…
I think I need to change the settings of this log first so that various information is generated…

I have solved this problem!!

$ModLoad imfile
$InputFileName /var/log/mongodb/mongodb.log
$InputFileTag MongoLog:
$InputFileStateFile mongo-state
$InputFileFacility local3
$InputRunFileMonitor

local3.*                        @server-ip:port

The facility in rsyslog.conf had to be set to 3.

Thanks for always helping me!! If there are any other problems, we will come to you. Always be healthy!

Awesome!
I didn’t even think about the Facility Local0-local7 there syslog facility values. The “Priority Value” being part of the syslog message.

If you could mark it as resolved that would be great for future searchs

yep thank you always

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.