Hi,
I want to receive logs on my Graylog, this logs come from Syslog, but Graylog and Syslog are not on the same server,
How can I do this please ?
I read this, but I still don’t know 
you need to create a syslog input on Graylog and then configure your syslog to forward the messages to the previous created input.
Can you show me please how can I create a input Syslog ?
In my previous test on ELK I used Filebeat to push logs into my server, can I use it also with Graylog ?
You create inputs in the Graylog web interface on the System (menu bar on top) / Inputs page.
Yes, you can also use any Beat (such as Filebeat) with Graylog. You only need to create a Beats input (on the System/Inputs page) and use Filebeat’s “logstash” protocol to send messages to Graylog.
That’s because the input is not running and because port 514/udp is a privileged port.
See http://docs.graylog.org/en/2.4/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024 for more details.
Is this line correcte ?
elasticsearch_hosts = http://network-2.172.16.250.29:9200
(network-2 = name of the node)
No, either use the IP address of the Elasticsearch node or its hostname. The Elasticsearch node name has nothing to do with it.
Is it important that the name of the cluster is graylog ?
Can you help resolve this ?
[root@frghcslnetv12 server]# curl -X GET http://localhost:9200
curl: (7) Failed connect to localhost:9200; Connection refusedNo, that’s not required since Graylog 2.3.0.
That’s just to make sure that you don’t accidentally write into a “test” Elasticsearch cluster which might exist in your network.
Check the logs of your Elasticsearch node(s) and make sure that the service is running.
[root@frghcslnetv12 ~]# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Wed 2018-06-13 11:53:44 CEST; 10s ago
Docs: http://www.elastic.co
Process: 24501 ExecStart=/usr/share/elasticsearch/bin/elasticsearch -p ${PID_DIR}/elasticsearch.pid --quiet (code=exited, status=1/FAILURE)
Main PID: 24501 (code=exited, status=1/FAILURE)
Jun 13 11:53:42 frghcslnetv12 systemd[1]: Started Elasticsearch.
Jun 13 11:53:42 frghcslnetv12 systemd[1]: Starting Elasticsearch...
Jun 13 11:53:44 frghcslnetv12 systemd[1]: elasticsearch.service: main process exited, code=exited, status=1/FAILURE
Jun 13 11:53:44 frghcslnetv12 systemd[1]: Unit elasticsearch.service entered failed state.
Jun 13 11:53:44 frghcslnetv12 systemd[1]: elasticsearch.service failed.
I don’t know why it doesn’t want to start
Check the logs of that Elasticsearch node.
http://docs.graylog.org/en/2.4/pages/configuration/file_location.html
[root@frghcslnetv12 elasticsearch]# df -k
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/mapper/vgroot-root 22132164 6197168 15934996 29% /
devtmpfs 3980968 0 3980968 0% /dev
tmpfs 3997156 0 3997156 0% /dev/shm
tmpfs 3997156 12220 3984936 1% /run
tmpfs 3997156 0 3997156 0% /sys/fs/cgroup
/dev/sda1 1038336 212980 825356 21% /boot
/dev/mapper/vgdata-lvdata 50442784 47857392 0 100% /data
tmpfs 799432 0 799432 0% /run/user/0
My data base is full , I use curator in the other node but it doesnt clear this node, can you help me ?
Well, you either have to provide more disk space to the “lvdata” logical volume and increase the /data partition, or free some disk space from the /data partition.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.