"Hello, I’m relatively new to working with Graylog and rsyslog. A few days ago, I installed Graylog Server 5.1 on Ubuntu 22.04 and successfully configured it to receive syslog logs. However, I’m having trouble sending DNS logs, which are stored in /var/log/named/query.log, to Graylog. I’ve tried two different configurations, and I’m looking for guidance on how to achieve this while keeping the DNS logs separate from other logs like those in /var/log/syslog.
Configuration 1: I created a separate file named /rsyslog.d/named-query.conf with the following content:
if $programname == ‘named’ and $msg contains ‘query’ then {
action(type=“omfwd” target=“192.168.0.3” port=“5515” protocol=“tcp” template=“RSYSLOG_SyslogProtocol23Format”)
}
this doesn’t seem to work.
Configuration 2: I also tried modifying the /etc/rsyslog.conf file with…
$ModLoad imfile
$InputFileName /var/log/named/query.log
$InputFileTag dns:
$InputFileStateFile stat-dns
$InputFileSeverity info
$InputFileFacility local0
$InputRunFileMonitor
local0.* @@192.168.0.3:5515
This works for sending DNS logs to Graylog, but it also sends logs to /var/log/syslog, which I want to avoid.
Is there a way to configure rsyslog to send DNS logs to Graylog from /var/log/named/query.log without have my DNS logs showing in /var/log/syslog?, Any advice or insights would be greatly appreciated. Thank you!"