Sending DNS logs to graylog-server 5.1 without rsyslog.conf

"Hello, I’m relatively new to working with Graylog and rsyslog. A few days ago, I installed Graylog Server 5.1 on Ubuntu 22.04 and successfully configured it to receive syslog logs. However, I’m having trouble sending DNS logs, which are stored in /var/log/named/query.log, to Graylog. I’ve tried two different configurations, and I’m looking for guidance on how to achieve this while keeping the DNS logs separate from other logs like those in /var/log/syslog.

Configuration 1: I created a separate file named /rsyslog.d/named-query.conf with the following content:

if $programname == ‘named’ and $msg contains ‘query’ then {
action(type=“omfwd” target=“” port=“5515” protocol=“tcp” template=“RSYSLOG_SyslogProtocol23Format”)

this doesn’t seem to work.

Configuration 2: I also tried modifying the /etc/rsyslog.conf file with…

$ModLoad imfile
$InputFileName /var/log/named/query.log
$InputFileTag dns:
$InputFileStateFile stat-dns
$InputFileSeverity info
$InputFileFacility local0
local0.* @@

This works for sending DNS logs to Graylog, but it also sends logs to /var/log/syslog, which I want to avoid.

Is there a way to configure rsyslog to send DNS logs to Graylog from /var/log/named/query.log without have my DNS logs showing in /var/log/syslog?, Any advice or insights would be greatly appreciated. Thank you!"

If you’re not set on using syslog, you could use a client, (e.g. Filebeat or NXLog) to collect the events and send them in via a Beats input.

1 Like