I just set up a Graylog server to receive authentication logs from all the servers on my network and it seems to be working fine.
All servers in the network first send their logs to a syslog server, there is one for the dmz and one for the internal zone.
Here is the configuration on each server in the/etc/rsyslog.conf file (here the server sends the logs to the internal syslog, it is the conf of one of the servers that has a problem):
So far I have no problem, all the logs of all the servers arrive well in my syslog server, which stores them in a folder specific to each server.
Example of a conf file for a server on my syslog server in/etc/rsyslog. d/ :
And here is the configuration of my syslog server rsyslog file so that it sends all connection logs to the graylog server:
However, the problem shows up on my graylog server. While my configuration is the same on each server, The connection logs of some servers do appears very late on my graylog. While they arrive immediatly on my syslog server and it sends all the connection logs it has. That’s why I can’t understand the problem.
For example, you can see here logs from a server, but not authentification logs (while I logged on several times on)
I would like to point out again that this is only for a few servers, as we can see here on a working server:
The message appeared instantly
Thanks to those who will try to help me