Not getting all samba logs

I have Graylog version is 4.0.6 and a samba server that is an AD domain controller. I setup the rsyslog to send syslogs to my graylog server and thats working fine, but im not getting all the samba logs. Specifically the log information I need is in /var/log/samba/log.samba. Samba is logging what I want. I can see the information I want in the log file, but that particular log is not getting sent to graylog.

Does anyone know how to get this working?

Description of steps you’ve taken to attempt to solve the issue

rsyslog.conf has the line . @IPV4:Port;RSYSLOG_SyslogProtocol23Format
(some reason the does not show in the post)

Operating system information

my samba server is Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-154-generic x86_64)

Hello && Welcome

Not completely sure what’s going on but I’ll take a guess . It should be something like this below and make sure your rsyslog port matches your Graylog INPUT port. I personally use ports above 1024
Here is an example:

*.* @@  //UPD connection
*.* @      //TCP connection

I think you might have better luck with either nxlog-ce install or Graylog sidecar.
To help you further ,some more information would be appreciated. At this point I can only guess whats going on in your environment.

Hope that helps

No thats what I have. I think the problem is that the logs I want are in a sub-folder. The logs that are being sent are in /var/log while I want a log thats in /var/log/samba. I dont know how to get it to send the logs in that sub-folder.


When you stated this, does it mean you have Nxlog-ce install or Graylog Sidecar. I’m a little confused by this statement.

If you have Nxlog-ce installed you can do something like this.

<Input messages>
    Module       im_file
    FILE         "/var/log/sub_folder/*"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;


FileBeat you can do something like this.

 # Paths that should be crawled and fetched. Glob based paths.
    - /var/log/*.log
    - /var/log/sub_folder/*.log

As for Rsyslog I believe you need to configure your full path under Rule section. It been a while since I used Rsyslog.

Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.