Syslog data collection for GrayLog


(Gregory West) #1

I now have GrayLog up and running on my main rsyslog server, centos 7. As far as I can tell rsyslog is collecting all the syslog information from my servers and work stations, but GrayLog can not see any of this.

Question is am I doing something wrong, should I even be running rsyslog? I find the docs are GREAT once you get to know what is going on, but hard to comprehend with I am still learning how everything fits together.

Should I have other plugins loaded?

Are there any examples of a single GrayLog server setup, collecting syslog information from a few different devices/servers?

Thanks in advance…


(Ritesh Khadgaray) #2

Have you setup as documented at - https://github.com/Graylog2/graylog-guide-syslog-linux ?


(Gregory West) #3

Yes, have read those instructions a few times. I expect if you know what is going on, they are pretty good. On the other hand if you are a person like me who is learning, they make little sense.

Things like:
UDP:

*.* @graylog.example.org:514;RSYSLOG_SyslogProtocol23Format

TCP:

*.* @@graylog.example.org:514;RSYSLOG_SyslogProtocol23Format

What am I supposed to do with those commands? Are they to go into a config file somewhere, Are they an input to a console? Does part of the comment/conf (which ever it is) need to be changed for my particular setup?

From what I have seen your code and program look absolutely 1st rate. The documentation, in particular where new people are concerned needs some work. Most other packages I have looked at either have a step by step setup instructions or a script that sets up a simgle server darn close to production environment.

I will give you once you go outside single server, and one LAN things get complex fast, but the single server environment will help new people like myself learn the syntax and structure of a system like Graylog.


(Jochen) #4

They are configuration directives for rsyslog and thus have to be added to the rsyslog configuration file.

Please refer to the rsyslog documentation for details: http://www.rsyslog.com/doc/v8-stable/index.html


(Gregory West) #5

I added those lines to my rsyscon conf file. I am still not getting any messages into GrayLog. I seem to be having the same issues as a colleague of mine. He struggled with trying to get GreyLog to work, and finally ended up just giving up after a week of nothing working.

I even downloaded you OVA machine, booted it up and it shows no messages of any type coming in.


(Jochen) #6

It’s a little bit hard to help you without you providing any information about your setup.

  • What inputs have you created in Graylog and what is their configuration?
  • What’s the complete configuration of your rsyslog daemon?
  • Are rsyslog and Graylog running on different systems? If so, can these systems communicate with each other on the configured ports?

(Gregory West) #7

TCP Syslog:


allow_override_date:
 true
bind_address:
 10.10.10.54
expand_structured_data:
 false
force_rdns:
 false
max_message_size:
 2097152
override_source:
 <empty>
port:
 514
recv_buffer_size:
 1048576
store_full_message:
 false
tcp_keepalive:
 false
tls_cert_file:
 <empty>
tls_client_auth:
 disabled
tls_client_auth_cert_file:
 <empty>
tls_enable:
 false
tls_key_file:
 <empty>
tls_key_password:
 ********
use_null_delimiter:
 false

UDP Syslog


allow_override_date:
 true
bind_address:
 10.10.10.54
expand_structured_data:
 false
force_rdns:
 false
override_source:
 <empty>
port:
 514
recv_buffer_size:
 262144
store_full_message:
 false

rsyslog -> listen.conf


$SystemLogSocketName /run/systemd/journal/syslog
*.* @10.10.10.54:514;RSYSLOG_SyslogProtocol23Format
*.* @@10.10.10.54:514;RSYSLOG_SyslogProtocol23Format

Both are on the same machine. Other feeders will come from the LAN and WAN in time. But for now this is what I have.


#8

listen.conf is probably the wrong config file. Your rsyslog is not listening Graylog, but sending log lines to it. So try another conf file. The correcto one is probably /etc/rsyslogd.conf. Also, use only one of the two lines at a time. Also, when runnin CentOS you need to make the port 514 a rsyslog port in SELinux, or disable SELinux, to make it work. This is a RedHat / CentOS specific howto: https://access.redhat.com/solutions/54363. The document describes both cases: receiving logs to rsyslog and sending logs from rsyslog, and also the selinux part. Read carefully.

When setting up log collection, you need to find a lot of resources that are not Graylog-specific, but specific to the system that is sending log lines.


(Gregory West) #9

hmmm. listen.conf is the only rsyslog file there


#10

Better then to read the link I gave first. One additional note, though. You make your life easier, if you use some other port for rsyslog than 514 (such as 5140) (as the first thousand ports are reserved for system daemons)


(system) #11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.