Multiple servers forwarding to Graylog


(mc) #1

Good day,

I have a simple diagram I am working on, Graylog–>ubunty-syslog forwarder.–> switch and router.
The router and switch sent their log to Ubuntu and ubuntu forwards those logs to Graylog working as central syslog server
The problem I am facing is Graylog is receiving log from router and switch with Ubuntu’s IP address, is there a
way to get the router and switch sent log messages to Graylog with their original source IPs?

Thank you!


(Jochen) #2

If your syslog server adds the original client’s hostname or IP address to forwarded the syslog message, you can extract that in Graylog and assign it to the “source” message field.

Otherwise, the information about which machine was the original sender is lost.


(mc) #3

Thanks for your reply. here is the simple simple script in place any advise?

slroot@ppgbcislf01:~$  nano /etc/rsyslog.conf 

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="514")

# I AM EDITING ABOVE UDP LINES
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
  GNU nano 2.5.3                                                        File: /etc/rsyslog.conf                                                                                                             Modified  

# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf

*.* @192.168.68.22:514

#4

I’ve done what jochen recommends, but I also re-assign the forwarder address so I have record of what source delivered it.

If you aren’t seeing the orgininal IP or hostname in the logs this might help. Possibly the “$PreserveFQDN on” part, but I’m not positive. https://serverfault.com/questions/274625/how-do-i-get-rsyslogd-to-log-a-servers-fqdn-instead-of-its-short-hostname

If you want an example of my pipeline rule let me know.


(mc) #5

Hello,

Can you please tell me how to extract the source ip in Graylog, I have tried many things but I couldn’t do it. I have limited skills on linux and Graylog.
Thanks!


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.