Monitor syslog from other server

I have a server with all syslog from other server(i don’t know what does it mean, but someone create it like that), then each server has own directories in this server and all log is in this directory
is it possible for graylog to read this directory as server output(or other )?
and if yes how to configure (all is linux server).
something like that
we have servers a,b,c,d all logs from a…d is in server X under directories x:/log/a, x:/log/b, …
what i want is read only X server and monitor x:/log/a ,…

The short answer is yes, Graylog can do that. Assuming from how you are describing your scenario, you would be starting from scratch. You could go to the Installation Instructions to start. There is quite a lot to work through and set up… once the framework was set in place you could use Elasticsearch filebeat that comes with the Sidecar to pull the log files… I am assuming windows since you have a drive letter at the head of your path… Here would be an generic example winflebeat configuration for you scenario:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
   hosts: ["Server-X"]
  data: C:\Program Files\Graylog\sidecar\cache\winfilebeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
 - windows, logcatcher
    - type: log
      enabled: true
      # include_lines: ['example', 'Turf', 'stuff'] #Commented out... for now
      exclude_lines: ['^#'] # --exclude anything that starts with #

      ignore_older: 7h
        - X:\log\*\*.log

There is so much more to explain to put it all together but start with the installation docs and you will breeze through the rest of it… :slight_smile:

I install a graylog server on ubuntu 20.04.
All my server are Linux (ubuntu/debian/freebsd).
But i only need to do something in my syslog server.
How to read all log directories in graylog server.

Hi there

I reckon you can just install Filebeat (Filebeat: Lightweight Log Analysis & Elasticsearch | Elastic) on the server in question; configure it to read the appropriate log locations; make sure it has chmod permissions to read said appropriate log locations; and set the output of Filebeat to Graylog.

is it the only possibility. I do not prefer to install filebeat on my rsyslog server.

There are plenty of other approaches, Filebeat is merely the simplest to set up and most robust. An OS native solution would be to use rsyslog.d to foward the logs

See Graylog3 internal logs - #3 by ncmfn

Documentation: Ingest syslog - Log sources

1 Like

ok. Just to be sure and undrestand what you mean.
1 - i have a garylog server
2 - rsyslog server (with all other copy of syslog from other servers). I install filebeat in rsyslog server and configure to read directories. then i configure grylog to read filebeat.
Correct ?

All correct.

Technically when you install filebeat on your syslog server, you configure filebeat to connect to the Graylog server to retrieve its file log configuration, then you create that configuration (with directories you want to capture) for the filebeat in Graylog and assign it to your syslog server. Once assigned, Graylog pushes the configuration to your Syslog server and the filebeat will send all log file changes to the listening Beats Input you created on the Graylog server…

Thanks filebeat is working fine, and it’s easy.
i need to have other metode to demonstration, for people to choose.
Is there any way to do this?

The method I outlined in my previous post would work, using rsyslog.

You could also use nxlog, a similar platform to Filebeats.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.