Rsyslog streaming doesn't work

Graylog Central (peer support)
, ,
4

Hello @SR_CSV

Thank you for the added information. This helped to understand what you doing.

If your only using Rsyslog for buffering you might want to check this out.

I personally would choose either Rsyslog or Nxlog to ship log/s directly to Graylog input. I have tried using Rsyslog but unfortunately I was running into problems most of the time, specially when I want to adjust configurations on Graylog.

Example:

I believe what you want can be done either with Nxlog_GELF/TCP
OR Graylog Sidecar

To give you a better understanding this is my setup. My Graylog input is configured with Gelf/tcp/tls and my shipper is Nxlog. Nxlog is shipping logs from a Linux box to Graylog. These settings can be configured/adjusted for Gelf_TCP if you don’t want to use TLS.

NXLOG-CONFIG 

########################################
# Global directives                    #
########################################
#User nxlog
#Group nxlog

LogFile /var/log/nxlog/nxlog.log
LogLevel INFO

########################################
# Modules                              #
########################################
<Extension _syslog>
    Module      xm_syslog
</Extension>

<Extension _gelf>
    Module      xm_gelf
</Extension>

<Input messages>
    Module       im_file
    FILE         "/var/log/messages"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

<Input secure>
    Module       im_file
    FILE         "/var/log/secure"
    SavePos       TRUE
    ReadFromLast  TRUE
    PollInterval  1
    Exec  $Message = $raw_event;
</Input>

<Input audit>
   Module       im_file
   FILE         "/var/log/audit/audit.log"
   SavePos       TRUE
   ReadFromLast  TRUE
   PollInterval  1
   Exec  $Message = $raw_event;
</Input>
<Input nextcloud>
   Module       im_file
   FILE         "/mnt/nextcloud-data1/nextcloud.log"
   SavePos       TRUE
   ReadFromLast  TRUE
   PollInterval  1
   Exec  $Message = $raw_event;
</Input>

<Output out>
    Module      om_ssl ### for tcp use your om_tcp
    Host        graylog.domain.com
    Port        51411
    OutputType  GELF_TCP
    CertFile        /var/lib/nxlog/cert/graylog3-certificate.pem
    CertKeyFile     /var/lib/nxlog/cert/graylog3-key.pem
    CAFile          /var/lib/nxlog/cert/cert3.pem
    KeyPass         secret
    AllowUntrusted  true
    Exec $short_message = $raw_event;
    Exec $Hostname = hostname_fqdn();
</Output>



########################################
# Routes                               #
########################################
<Route>
Path messages => out
</Route>

<Route>
Path secure => out
</Route>

<Route>
Path audit => out
</Route>

<Route>
Path nextcloud => out
</Route>

Here is my Graylog Input,

image
image452×869 32 KB

Results

image
image1312×422 22.1 KB

Over all I believe you can simplify your setup.
Hope that helps