Hi,
I’m not sure how to get graylog to show the hostname or IP that sent in the syslog event to Graylog. The syslog input listens on 5444
In graylog I just see this:
There is no info on what sent in the log. Multiple servers shipping logs in are not determinable.
syslog has been configured like this:
*.* @graylogserver:5444
Am I missing a graylog config or is it something I need to add to the source?
you should configure your syslog to hold this data - without the knowledge what kind of syslog you have configured it is hard to guess.
But it might be that this will solve your issue:
*.* @graylogserver:5444;RSYSLOG_SyslogProtocol23Format
Thanks for this suggestion. I’m using FreeBSD 11.2 “syslog” and adding that “RSYSLOG_SyslogProtocol23Format” stops events being shipped to graylog.
What I’m finding is that by adding*.* @server to syslog.conf the @server receiving the log should be displaying the source:
Aug 2 12:54:14 <user.notice> test.home iceflatline: This a test message from client
but I don’t see test.home in Graylog.
Thanks for the tip. I’ve replaced syslog on FreeBSD with rsyslog and now the source is shipped and displayed in Graylog.
Using the following I can ship non-syslog files to graylog too:
$ModLoad imfile
$WorkDirectory /var/spool/rsyslog
$InputFileName /var/logs/CustomWeb/*.log
$InputFileName /var/logs/CustomWeb/*_log
$InputFileTag CustomWeb
$InputFileStateFile CustomWeb-file1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFilePersistStateInterval 1000
if $programname == 'CustomWeb' then @10.2.37.241:5444;RSYSLOG_SyslogProtocol23Format
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.