Send syslog messages from Graylog host server to Graylog itself

I’m currently running a Graylog server on an Ubuntu Server 20.04 VM. It is configured to listen on UDP port 5514 for syslog messages and store them in graylog. On my other server VMs, I can configure rsyslog to send that server’s syslog messages to my Graylog server using UDP 5514 and Graylog receives them with no issues. However, I would also like the syslog messages from the server that is hosting Graylog to show up in Graylog itself. I tried creating an rsyslog file that sent messages to localhost:5514 via UDP but it seemed to end up in an infinite loop where rsyslog was sending messages to itself and then storing them in /var/log/syslog until the file filled up the entire drive and things started breaking due to a lack of storage space. Is there any way to have Graylog show log messages from its host without causing this infinite loop?

Thanks so much

Hello && welcome @tactile3765

Yes there is.

This would depend on the configurations that were made. Showing us would be helpful in troubleshooting this issue.

@gsmith

Here is the rsyslog configuration I was using for rsyslog:

*.* @localhost:5514;RSYSLOG_SyslogProtocol23Format

And then here is the graylog input configuration:

    allow_override_date:
     true
    bind_address:
     0.0.0.0
    expand_structured_data:
     false
    force_rdns:
     false
    number_worker_threads:
     4
    override_source:
     <empty>
    port:
     5514
    recv_buffer_size:
     262144
    store_full_message:
     false

Thank you!

Hello,

Not sure why this is happing to you, perhaps check Selinux/ Firewalls, etc…

Here is my lab configurations , maybe that will help.

image577×862 53 KB

root@ansible:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04.4 LTS
Release:        20.04
Codename:       focal

root@ansible:/etc# cat /etc/rsyslog.conf | egrep -v "^\s*(#|$)"
module(load="imuxsock") # provides support for local system logging
*.* @8.8.8.8:8514
module(load="imklog" permitnonkernelfacility="on")
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$RepeatedMsgReduction on
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
$WorkDirectory /var/spool/rsyslog
$IncludeConfig /etc/rsyslog.d/*.conf
root@ansible:/etc#

Results:

image1831×427 33.4 KB

Maybe try not to use localhost and try using 127.0.0.1 or the IP Address of this Graylog server. Just an idea for troubleshooting.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.