Step 7: Configure Source to Send Your Data

This week we’re in Step 7 (of 12) Click here to play.
One participant will win a $100 Amazon Gift Certificate . Jump in! There’s still time to play. For each step you respond to, you’ll get another change to win. Our top contenders are @shoothub and @gsmith currently vying for the most chances to win.

Tell how you configured your source. What language did you use to build your template or rules?
What more would you like to learn about source configuration? Be specific.

Thank you to the community members who have been playing the User Journey Game. Keep it going! Remember, each submission is an entry in the User Journey raffle. The winner whose name is drawn will receive a $100 Amazon Gift Certificate.

Posting a valid++ response to this question is worth 1 chance to win.

For EACH STEP (there are 12 in all) in Graylog User’s Journey in which you post a valid++ response, you get a chance to win a $100 Amazon Gift Certificate! One lucky winner will have up to 12 chances to win. Go to “From the Graylog Book” to find the steps.

++Validity of response is subject to the community manager’s approval.
TO play, respond to this post with your response to this week’s questions.

My source configuration for sending logs to graylog depends of type of device:

1. Network devices:
   I’ve setup syslog forwarding according to manufacturer’s official docs. Or use uncle google for help.

   Here are some manuals how to setup external syslog for different manufacturers:

• Mikrotik:
  • Manual:System/Log - MikroTik Wiki
• Fortigate:
  • CLI Reference | FortiGate / FortiOS 6.2.9 | Fortinet Documentation Library
  • CLI Reference | FortiGate / FortiOS 6.4.6 | Fortinet Documentation Library
  • Fortinet Knowledge Base - View Document)
  • How to perform a syslog and log test on a FortiGate with the ‘diagnose log test’ command)
  • Troubleshooting Tip: Syslog and log trouble shooting via CLI)
• Cisco IOS:
  • System Message Logging - Cisco
• HPE:
  • Logging command
• Ubiquity EdgeRouter:
  • EdgeRouter - Remote Syslog Server for System Logs – Ubiquiti Support and Help Center
• Meraki:
  • Syslog Server Overview and Configuration - Cisco Meraki
• Sophos XG:
  • Add a syslog server
• Sonicwall:
  • How can I configure a syslog server on a SonicWall firewall? | SonicWall
• Dell EMC swtiches:
  • Dell EMC Networking OS9 - How to Set Up and Manage Logging on a Switch | Dell UK
• Zyxel USG:
  • Setting up a Syslog Server entry on a USG – Zyxel Support Campus EMEA
• GFI Kerio Control:
  • Using and configuring logs

2. Linux devices:
   You usually use rsyslog as it’s most used syslog daemon on linux systems. If you can, always use RFC 5424 syslog format, as it contains correct timezone definition, so time is correctly detected by graylog.

• Rsyslog:
  • Sending syslog from Linux systems into Graylog
• Ansible:
  • I’m a big fan of Ansible. So every time I want to deploy new or updated template for rsyslog, filebeat or nxlog to linux systems I use Ansible playbook.

3. Windows devices
   For Windows you have more options, I’ve always used sidecar, because is much more easier to configure templates centrally, than manually on every host.

• NXLog
  • 72. Graylog | Log Collection Solutions | Log Collection Solutions
• Winlogbeat
  • Winlogbeat Reference [7.14] | Elastic
• Filebeat
  • Filebeat Reference [7.14] | Elastic
• Graylog Sidecar
  • Graylog Sidecar — Graylog 4.1.0 documentation

Tips to success:

• Always setup correct time and date synchronization using NTP on source device
• Always setup correct timezone, use either local timezone, or UTC
• Check your firewall to allow connection from device to graylog server, specific port and protocol
• Think and configure graylog input and index before sending logs from devices
• For testing purposes I would suggest to create dummy index and input with low retention to test new type of devices.
• Don’t try to send new messages to production indexes (inputs), if you you are on POC and testing phase. You can end up with unnecessary fields which is not possible to remove.

Awesome. Thanks for participating!

Hi, Shoothub,

Thanks for sending this along. Do you want to include it with your interview article? I think this would be awesome, too, as a stand-alone entry in the community. What are your thoughts?