Rsyslog and logs from Ubuntu to graylog

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I am trying to “read” system logs from remote ubuntu server in Graylog. Unfortunately it does not want to work. As i understand and i saw in many topics here, the only thing to do is to configure rsyslog conf file to send to graylog and one input source in graylog.
At this moment graylog gets graylog server rsyslog logs (i see in graylog when something happens on graylog server), but i can get any logs from other server. Please also tell me where i can see full manual how to do it and troubeshooting guide, how to properly, step by step troubleshoot this (what command shoud i exactly use on both servers and what result more or less shoud be there?).

2. Describe your environment:

  • OS Information:
    GRAYLOG server:
    Description: Ubuntu 20.04.3 LTS
    Release: 20.04
    Codename: focal

Client Server:
Description: Ubuntu 20.04.3 LTS
Release: 20.04
Codename: focal

  • Package Version:
    GRAYLOG server:
    rsyslog: origin software=“rsyslogd” swVersion="8.2001.0
    graylog: 4.2.5.1
    mongo: 4.0.27
    elastic: 7.10.2

ufw status:
9000 and 1514 both ipv4 and ipv6, ssh also.

Client Server:
rsyslog: origin software=“rsyslogd” swVersion="8.2001.0
Status: active

To Action From


1514 ALLOW Anywhere
22/tcp ALLOW Anywhere
5666 ALLOW Anywhere
1514 (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)

  • Service logs, configurations, and environment variables:
    Client server:
    rsyslog.conf
##module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
#module(load="imudp")
#input(type="imudp" port="1514")

# provides TCP syslog reception
#module(load="imtcp")
#input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
##module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf


#$ModLoad imudp
#$UDPServerRun 1514
*.* @192.168.1.30:1514;RSYSLOG_SyslogProtocol23Format

3. What steps have you already taken to try and solve the problem?
I tried to check tcpdump but i am not sure what commands should i use to get info on both servers, please help. Also i tried to reconfigure rsyslog,conf on both servers.

4. How can the community help?
At this moment graylog gets graylog server rsyslog logs (i see in graylog when something happens on graylog server), but i can get any logs from other server. Please help me with configuration of external server. Please also tell me where i can see full manual how to do it and troubeshooting guide, how to properly, step by step troubleshoot this (what command shoud i exactly use on both servers and what result more or less shoud be there?).

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hello && Welcome @kabo
I might be able to help.

As for that statement it not exactly true.

There are multiple way to ship logs to Graylog you may want to read the documentation here.

Second, when posting configuration files please use the markdown, In this section, of this post will enlighten you.

So I assume you created some input on Graylog? and one is Syslog UDP with port 1514?
It should look like this?

If all this is correct, check your Rsyslog log files on the client server, check to make sure there are no issues sending logs to graylog.

Since this is one way CLIENT → GRAYLOG I would use a TCPDUMP on graylog server to see if messages are getting received.
Example:
tcpdump -i eth0 dst 8.8.8.8 port 1514 -vvv

By the way I adjusted this post to make it readable.

Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.