Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
I am trying to “read” system logs from remote ubuntu server in Graylog. Unfortunately it does not want to work. As i understand and i saw in many topics here, the only thing to do is to configure rsyslog conf file to send to graylog and one input source in graylog.
At this moment graylog gets graylog server rsyslog logs (i see in graylog when something happens on graylog server), but i can get any logs from other server. Please also tell me where i can see full manual how to do it and troubeshooting guide, how to properly, step by step troubleshoot this (what command shoud i exactly use on both servers and what result more or less shoud be there?).
2. Describe your environment:
- OS Information:
GRAYLOG server:
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
Client Server:
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal
- Package Version:
GRAYLOG server:
rsyslog: origin software=“rsyslogd” swVersion="8.2001.0
graylog: 4.2.5.1
mongo: 4.0.27
elastic: 7.10.2
ufw status:
9000 and 1514 both ipv4 and ipv6, ssh also.
Client Server:
rsyslog: origin software=“rsyslogd” swVersion="8.2001.0
Status: active
To Action From
1514 ALLOW Anywhere
22/tcp ALLOW Anywhere
5666 ALLOW Anywhere
1514 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
- Service logs, configurations, and environment variables:
Client server:
rsyslog.conf
##module(load="imuxsock") # provides support for local system logging
#module(load="immark") # provides --MARK-- message capability
# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="1514")
# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")
# provides kernel logging support and enable non-kernel klog messages
##module(load="imklog" permitnonkernelfacility="on")
###########################
#### GLOBAL DIRECTIVES ####
###########################
#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Filter duplicated messages
$RepeatedMsgReduction on
#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
#$ModLoad imudp
#$UDPServerRun 1514
*.* @192.168.1.30:1514;RSYSLOG_SyslogProtocol23Format
3. What steps have you already taken to try and solve the problem?
I tried to check tcpdump but i am not sure what commands should i use to get info on both servers, please help. Also i tried to reconfigure rsyslog,conf on both servers.
4. How can the community help?
At this moment graylog gets graylog server rsyslog logs (i see in graylog when something happens on graylog server), but i can get any logs from other server. Please help me with configuration of external server. Please also tell me where i can see full manual how to do it and troubeshooting guide, how to properly, step by step troubleshoot this (what command shoud i exactly use on both servers and what result more or less shoud be there?).
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]
