Hello guys, after installing graylog, I therefore created TCP inputs with syslog to receive logs on my web interface. It worked but my / var / log / messages files completely saturated my storage space (50GB) in the space of 5 minutes, which made it impossible to start the Elasticsearch and Mongodb service and access to the Graylog web interface. I therefore deleted the content of the “messages” file which made it possible to resolve the various problems above. So my question is: how to avoid this overload? Do I have to establish rules in the Graylog configuration file? Thank you in advance.
What exactly was filling up
Graylog stores messages it receives in Elasticsearch so, syslog messages you were sending from remote hosts should be written there and not
Please provide a full description of your configuration.
How did you configure the syslog inputs?
How were you sending the syslog messages to your Graylog server?
Hello Ponet, thank you for your reply. Here are some lines from the message file. For my configuration, I therefore have a Centos 7 VM, 4 GB RAM, 100 GB of storage.
For the input I configured it in TCP on port 1514 with as bind address 127.0.0.1. Sorry for the limited information I cannot currently access my web interface.
You’ve bound the input to the loop-back address so, are you just using it for local syslog messages on the graylog host?
On the Graylog Host, and another client (local)
What do you mean?
Please explain the situation.
Without knowing how you are configuring your setup, it’s hard to work out what is wrong.
Yes sorry for that, the problem comes from my input apparently. When I start this input, the “messages” file fills up again. I put you the configuration of my input and my rsyslog. How can I receive the logs from my greylog server on the web interface without filling this “messages” folder? Thank you and sorry again for the cruel lack of precision.
The screenshot of
/var/log/messages that you posted earlier, was that screenshot take after you had deleted the file?
If the screenshot is from after deleting the file, can you start the syslog input briefly to capture some of the messages that are flooding the log?
What is the last screenshot you posted? It looks like your rsyslog configuration however, everything is commented out and it looks like it is just pasted into a terminal?
No before deleting, yes the last screenshot is my rsyslog, I recommented the line *. * To avoid the flood in the / var / log / messages because as soon as I uncomment this line the file is filled. An exemple of my “messages” file after uncomment the line in the rsyslog.conf
an 23 16:02:46 graylog systemd Starting System Logging Service…
Jan 23 16:02:46 graylog rsyslogd [origin software=“rsyslogd” swVersion=“8.24.0-41.el7_7.2” x-pid=“1961” x-info=“http://www.rsyslog.com”] start
Jan 23 16:02:46 graylog systemd Started System Logging Service.
Jan 23 16:02:46 graylog systemd Stopping System Logging Service…
Jan 23 16:02:46 graylog rsyslogd [origin software=“rsyslogd” swVersion=“8.24.0-41.el7_7.2” x-pid=“1166” x-info=“http://www.rsyslog.com”] exiting on signal 15.
OK so, from looking at it, your rsyslog config looks to be wrong.
You are running your syslog input on 127.0.0.1:1514 however, you have configured rsyslog to send to 127.0.0.1:514
You’re right, thanks. After changing the port, the message file is no longer flooded but I still cannot get the graylog server logs on my web interface. How can I do ?
Yeah, I think you unintentionally created a feedback loop with rsyslog since it was configured to send everything back to itself so, it just continuously wrote until you ran out of disk space…
If your input is running and rsyslog is sending to it, you should start to see the messages appear.
Check the sources page or ‘View received messages’ on the syslog input.
Nothing appears, is this configuration correct?
You might want to start the input. It can’t receive messages if it isn’t listening for them.
I activated it well before trying, don’t worry. Still nothing.
Run tcpdump and check to see if rsyslog is definitely sending to 127.0.0.1:1514
Tcpdump did not work, 0 packet captured. Port 1514 is open on my firewall, do you have an idea?
Just want to confirm, you were running tcpdump on the loopback interface, right?
tcpdump -ni lo port 514 am i right ?