Not getting all samba logs

hal.clark · August 27, 2021, 10:47pm

I have Graylog version is 4.0.6 and a samba server that is an AD domain controller. I setup the rsyslog to send syslogs to my graylog server and thats working fine, but im not getting all the samba logs. Specifically the log information I need is in /var/log/samba/log.samba. Samba is logging what I want. I can see the information I want in the log file, but that particular log is not getting sent to graylog.

Does anyone know how to get this working?

Description of steps you’ve taken to attempt to solve the issue

rsyslog.conf has the line . @IPV4:Port;RSYSLOG_SyslogProtocol23Format
(some reason the star.star does not show in the post)

Operating system information

my samba server is Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-154-generic x86_64)

gsmith · August 28, 2021, 3:14am

Hello && Welcome

Not completely sure what’s going on but I’ll take a guess . It should be something like this below and make sure your rsyslog port matches your Graylog INPUT port. I personally use ports above 1024
Here is an example:

*.* @@10.10.10.10:5140  //UPD connection
*.* @10.10.10.10:5140      //TCP connection

https://docs.graylog.org/en/4.0/pages/sending/syslog.html#rsyslog

I think you might have better luck with either nxlog-ce install or Graylog sidecar.
To help you further ,some more information would be appreciated. At this point I can only guess whats going on in your environment.

https://docs.graylog.org/en/4.0/pages/sidecar.html

Hope that helps

hal.clark · August 31, 2021, 2:27pm

No thats what I have. I think the problem is that the logs I want are in a sub-folder. The logs that are being sent are in /var/log while I want a log thats in /var/log/samba. I dont know how to get it to send the logs in that sub-folder.

gsmith · August 31, 2021, 10:23pm

Hello,

When you stated this, does it mean you have Nxlog-ce install or Graylog Sidecar. I’m a little confused by this statement.

If you have Nxlog-ce installed you can do something like this.

<Input messages>
    Module       im_file
    FILE         "/var/log/sub_folder/*"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

OR

FileBeat you can do something like this.

 # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    - /var/log/sub_folder/*.log

As for Rsyslog I believe you need to configure your full path under Rule section. It been a while since I used Rsyslog.

Hope that helps

system · September 14, 2021, 10:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[solved] How i get rsyslog messages in graylog? misunderstanding Graylog Central (peer support)	5	8636	February 1, 2019
Can't send rsyslog Graylog Central (peer support)	14	2642	September 9, 2017
New Remote Server Doesn't send rsyslog to established Graylog Server Graylog Central (peer support)	4	495	November 22, 2020
Issues with Syslog input Graylog Central (peer support)	21	7442	August 22, 2017
Rsyslog and logs from Ubuntu to graylog Graylog Central (peer support)	2	8968	March 26, 2022

Not getting all samba logs

Description of steps you’ve taken to attempt to solve the issue

Operating system information

Related Topics