Ubuntu rsyslog custom file log monitoring

jithin12 · May 2, 2019, 12:10pm

Ubuntu rsyslog custom file log monitoring
I have issue with instead of system Hostname showing network gateway, when adding ubuntu rsyslog custom log file monitoring.( log file created manually ,that content forwared to ubuntu syslog file and taken in graylog.

if any solution please share.

jan · May 2, 2019, 8:16pm

would you please be so kind and add some more words what you try todo. What your current state is, what you had already tried and what your desired outcome is.

I guess that your question might also be answered already and please you to use the sarch function in this community.

jithin12 · May 3, 2019, 7:54am

Collecting logs from ubuntu via rsyslog to graylog server.

Actually i want to collect ubuntu screen locks logs to graylog .

In ubuntu,

dbus-monitor --session “type=‘signal’,interface=‘com.canonical.Unity.Session’”

this script run in cronjob and out put write to /var/log/custom.log file. then i make changes in rsyslog configration.

add one conf file custom.conf in /etc/rsyslog.d/

(this for screen lock logs write to syslog)
custom.conf --> file content

vi /etc/rsyslog.d/app.conf

$ModLoad imfile
$InputFilePollInterval 10
$PrivDropToGroup adm
$InputFileName /var/log/custom.log
$InputFileTag test
$InputFileStateFile Stat-test
$InputFileSeverity test
$InputFileFacility local7
$InputRunFileMonitor
$InputFilePersistStateInterval 1000

restart the rsyslog service

After this i got ubuntu screen locks in graylog console but issue have graylog source field shows network gateway ip instead of ubuntu client hostname.

if any solution have please ping with me.

frantz · May 3, 2019, 9:23am

It seems your logs d’ont respect the syslog format, so Graylog Syslog Input does not manage to read the right source field.
Can you provide a log sample ?
Which type of Input do you use in Graylog ? Syslog ? Raw ?

jithin12 · May 3, 2019, 9:35am

grylog = syslog TCP, ubuntu client syslog Tcp

. @@10.10.1.199:1514;RSYSLOG_SyslogProtocol23Format

frantz · May 3, 2019, 11:31am

Check with tcpdump the log sent to Graylog:
tcpdump -AAAnni eth0 port 1514
Provide us the log content.

10.10.1.199 is the Graylog IP ? or a syslog relay ?

system · May 17, 2019, 11:37am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Centralized SysLog Firewall Graylog Central (peer support)	3	48	November 20, 2024
Multiple servers forwarding to Graylog Graylog Central (peer support)	5	2415	December 14, 2017
Syslog data collection for GrayLog Graylog Central (peer support)	10	3334	August 12, 2017
Rsyslog app name Graylog Central (peer support) documentation , filebeat-linux , access-specific-log- , dashboards , gelf	4	983	January 12, 2023
Syslog ships to graylog but without source details Graylog Central (peer support)	4	1384	June 4, 2019

Ubuntu rsyslog custom file log monitoring

vi /etc/rsyslog.d/app.conf

Related topics