Send syslog from other linux to graylog server

Development
1

How to send from other linux to gralog server?
via udp or tcp i used the following in rsyslog, and restart it
. @graylog.example.org:514;RSYSLOG_SyslogProtocol23Format
but nothing coming in gralog server

2

Hey @Sharzad

When using Port 514 that a privilege port. I would suggest using port 5140 instead then configure you input to match Rsyslog port 5140. Hope that helps

3

thank for reply: i have following in my rsys.conf

Include all config files in /etc/rsyslog.d/

$IncludeConfig /etc/rsyslog.d/*.conf
. @@10.9.71.226:5140;RSYSLOG_SyslogProtocol23Form

and my input is

  • allow_override_date:

true

  • bind_address:

0.0.0.0

  • charset_name:

UTF-8

  • expand_structured_data:

false

  • force_rdns:

false

  • max_message_size:

2097152

  • number_worker_threads:

16

  • override_source:

  • port:

5140

  • recv_buffer_size:

1048576

  • store_full_message:

true

  • tcp_keepalive:

true

  • timezone:

Europe/Copenhagen

  • tls_cert_file:

  • tls_client_auth:

disabled

  • tls_client_auth_cert_file:

  • tls_enable:

false

  • tls_key_file:

  • tls_key_password:
  • use_null_delimiter:

false
stil no input.

4

Incoming port tcp/5140 is open in Linux firewall on Graylog server?

5

And, to display code snippets correctly, they should be formatted as code, like this

6

i disable firewall. what i have is gralog on incus (lxd) server. and my host is an ubuntu server. Both can see and ping.

7

What’s your INPUT configuration?

8

this my input config:
in linux rsyslog.conf is : .@@10.9.71.226:5140;RSYSLOG_SyslogProtocol23Form

and in graylog i select tcp

and my input is

  • allow_override_date:

true

  • bind_address:

0.0.0.0

  • charset_name:

UTF-8

  • expand_structured_data:

false

  • force_rdns:

false

  • max_message_size:

2097152

  • number_worker_threads:

16

  • override_source:

  • port:

5140

  • recv_buffer_size:

1048576

  • store_full_message:

true

  • tcp_keepalive:

true

  • timezone:

Europe/Copenhagen

  • tls_cert_file:

  • tls_client_auth:

disabled

  • tls_client_auth_cert_file:

  • tls_enable:

false

  • tls_key_file:

  • tls_key_password:

  • use_null_delimiter:

false
stil no input.

9

Hey,

It looks correct. Couple things to check.

  1. Ensure Both Graylog and the Remote device has port 5140 Opened.
  2. Restart rsyslog service and check the logs files for errors, warnings, etc…
  3. You can use tcpdump here and check for your remote device if its send anything over to Graylog. If its not I would look into your remote devices logs find out what’s going on.

EDIT: just to make sure, your input looks like this?

image
image594×719 12.2 KB

10

Thanks it working. it was port issue.

1 Like