Replay syslog logs to graylog

Hi
loving experimenting with graylog2

currently i have my logs coming in to a syslog-ng server
the config file on the syslog server is sort of like this

source of incoming remote logs
destination syslog logs dir saved under ip address, then by date
destination graylog server
log source and then both destinations

so as logs come in they are saved locally, some templates applied depending on the source, and then sent on to the graylog server

now, through experimenting with graylog i have gone through various rebuilds
how can i resend/reprocess the saved data on the syslog-ng server back to graylog server?

whilst still working to accept logs from current sources

MTIA

Hej @mrrob

you will need to write a little script that reads the files and send them over to Graylog. Or you use filebeat or syslog to send the messages.

regards
Jan

So you are saying that I need to run something else to replay the log files? Then what is the point of having a syslog server between source and graylog?

Yes, although you can configure syslog-ng to read from your existing files: https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-ose-guide-admin/html/reference-source-file.html

But that’s no better than using Filebeat, Logstash, or NXLOG.

Buffering, intermediate storage, etc. – it depends on your use case and requirements.

This being said, syslog-ng and other (traditional) syslog servers write the received logs to disk, but not into a database or a journal which allows arbitrary replay.

So I always put file beat with ELK. And always thought that there would be a switch or whatever to reprocess old logs on the syslog.

Would you or anyone have something like with syslog-ng, accept the source and save locally
Then and not sure if possible, run another syslog script to use the file location as source and then just read and forward these?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.