Send syslog messages from Graylog host server to Graylog itself

I’m currently running a Graylog server on an Ubuntu Server 20.04 VM. It is configured to listen on UDP port 5514 for syslog messages and store them in graylog. On my other server VMs, I can configure rsyslog to send that server’s syslog messages to my Graylog server using UDP 5514 and Graylog receives them with no issues. However, I would also like the syslog messages from the server that is hosting Graylog to show up in Graylog itself. I tried creating an rsyslog file that sent messages to localhost:5514 via UDP but it seemed to end up in an infinite loop where rsyslog was sending messages to itself and then storing them in /var/log/syslog until the file filled up the entire drive and things started breaking due to a lack of storage space. Is there any way to have Graylog show log messages from its host without causing this infinite loop?

Thanks so much

Hello && welcome @tactile3765

Yes there is.

This would depend on the configurations that were made. Showing us would be helpful in troubleshooting this issue.

@gsmith

Here is the rsyslog configuration I was using for rsyslog:

*.* @localhost:5514;RSYSLOG_SyslogProtocol23Format

And then here is the graylog input configuration:

    allow_override_date:
     true
    bind_address:
     0.0.0.0
    expand_structured_data:
     false
    force_rdns:
     false
    number_worker_threads:
     4
    override_source:
     <empty>
    port:
     5514
    recv_buffer_size:
     262144
    store_full_message:
     false

Thank you!

Hello,

Not sure why this is happing to you, perhaps check Selinux/ Firewalls, etc…

Here is my lab configurations , maybe that will help.

root@ansible:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal
root@ansible:/etc# cat /etc/rsyslog.conf | egrep -v "^\s*(#|$)"
module(load="imuxsock") # provides support for local system logging
*.* @8.8.8.8:8514
module(load="imklog" permitnonkernelfacility="on")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
root@ansible:/etc#

Results:

Maybe try not to use localhost and try using 127.0.0.1 or the IP Address of this Graylog server. Just an idea for troubleshooting.