To ingest the log file generated by Graylog

i’m using graylog 4.3.10.
Sometimes I find error messages in Graylog’s output log. Therefore, I would like to monitor this output on the Graylog console and possibly create an alert so that I can take action if necessary. Is there a way to have a dedicated stream for Graylog’s log output? How can I create an alert for this purpose?
Currently, neither the All Events nor the All System Events stream contains information about the content of the log file. In fact, they are always empty.


If you are talking about server.log you could injest it with logbeat etc. However, it is generally not “recommended” because it can lead to really bad outcomes. Basically you can create a error an error writes to the log, which then triggers another error etc. In a test environment its fine, but in production good way to make your cluster fall over.

So there is no a solution to have a notification if there is some errors in graylog (for example a rule that doesn’t work fine)?

I need to look the server.log every day :sweat:

Hey @gianluca-valentini

For my Graylog Localhost, I use Linux default “Rsyslog” then create a Syslog UDP input. This way your not installing other log shippers Beat,Nxlog, etc… on Graylog.


Thanks @gsmith, @Joel_Duffield
Mi Graylog is a Docker installation (in a Kubernetes cluster). Is it always possible to retrieve the server log for ingestion into a stream? How?


Hey @gianluca-valentini

Docker containers emit logs to the stdout and stderr output streams. Because containers are stateless, the logs are stored on the Docker host in JSON files by default.

You can find these JSON log files in the /var/lib/docker/containers/ directory on a Linux Docker host. Here’s how you can access them:

/var/lib/docker/containers/<container id>/<container id>-json.log

You can configure something simple like this… I’m not sure about Kubernetes but this would be for docker-compose.

  driver: syslog
    syslog-address: "tcp://"

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.