More general questions about how Graylog works

Graylog Central (peer support)
1

1. Describe your incident:

I am receiving logs and messages on Graylog, but now I would just like to know more about how Graylog works.

2. Describe your environment:

  • OS Information: CentOS 7

  • Package Version: ?

3. What steps have you already taken to try and solve the problem?
I have tried to search it up online, but I am not familiar with a lot of technical terms…

4. How can the community help?

How does Graylog obtain log messages? Is it pulling them straight from the source? If they are straight from the source, how can I find out where the location is on the source (i.e. what path)?
Or does Graylog creates its own messages, and if so, how can I find out what kind of messages these are?

2

Tom At Lawrence Systems does a great job explaining his way through Graylog. That will likely cover a lot of your questions on how it works. :slight_smile:

1 Like
3

Thank you for your response.

Actually, this video has been my reference video since I started playing with Graylog - I just need some clarifications: are these log messages raw from the source (and not formatted by Graylog, besides the extractors)?

4

I also noticed that port 1514 is the usual port for syslogs, but can a raw plaintext UDP input and a raw plaintext TCP input both use this port?

5

One or the other - use an alternative port if you have to.

6

Why? I have one input at UDP1514 and other input on TCP1514 and its no problem

7

I had read it as you were sending TCP ~AND~ UDP to the same input rather than two inputs same port. Should be fine the way you have it!

2 Likes
8

So if I want to configure new inputs, do I have to configure the Graylog server IP on the client/source side every time? In other words, for Graylog to receive logs, do I always have to configure a IP with port number at the two endpoints?

9

Hello,

Example: Graylog input for any devices using Syslog UDP port 514 , settings click Global and bind address to 0.0.0.0.

image
image662×672 35.9 KB

As for the client/log shipper use Graylog IP address /w Port needed.

2 Likes
10

Thank you for your response.

As for inputs, I see the field “Active connections” for some of them. What does that mean?

For example, for my raw TCP input right now, it says “Active connections: 2 (75 total)”, although network IO and msgs/s are all 0.

11

To keep the forums searchable, it’s best to start a new topic for each question rather than a running dialogue. It also facilitates everyone having a chance to chime in for answers since additions to a single topic only show up as NEW for anyone who has written in it… :smiley:

3 Likes
12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.