Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!
1. Describe your incident:
We need to send old archive logs to graylog, from debian 11 with rsyslog
2. Describe your environment:
- OS Information:
Debian 11 - Package Version:
Graylog 5.2 - Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
The configuration i made in rsyslog.conf:
input(type="imfile"
File="/var/logs/archive.log"
Tag="log_old"
Severity="info"
Facility="local0"
PersistStateInterval="20000"
ReadMode="2"
parseTimestamp="on")
if $programname == 'log_old' then {
action(type="omfwd"
Target="192.168.70.7"
Port="515"
Protocol="udp")
stop
}
The log format example line is:
Jul 14 22:06:03 server-2 CRON[3152447]: (CRON) info (No MTA installed, discarding output)
The line arrives to graylog but not with the original timestamp, graylog put the current time to the event, i need the original timestamp of the log line.
4. How can the community help?
Guidance to export a old log.
Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]