What are the different Logtemplates I have to use?

Hey everyone,

Setting up my Graylog instance I’m quite confused what the different Templates are I got to use.

On Debian 10 I added /etc/rsyslog.d/graylog.conf with following value:

*.* @graylog.i.abc.de:13526;RSYSLOG_SyslogProtocol23Format

and everything is getting awesome parsed whats in /var/log. Now seeing Serviio uses a different LOG pattern:

2022-04-06T15:44:57,701 INFO  [PlaylistMaintainerWorker] Started looking for playlist changes

And Plex aswell:

Apr 01, 2022 22:33:31.142 [0x7fb0bcb3bb38] INFO - Plex DLNA Server v1.25.8.5663-e071c3d62 - Debian GNU/Linux PC x86_64 - build: linux-x86_64 - GMT 02:00

I’m scratching my head and can’t find anything relevant in Google. What I found out is that you can write your own rsyslogd Templates. But I’m quite sure that the Formats that I shown you are “standarized”, aren’t they? If so, can someone give me a hint how they’re called and where I’m able to find a list of them?

Hello,

From what I see both can use Syslog/UDP,TCP Inputs and yes they are standard.

Example I have two formats of logs

Apr 6 16:51:05 graylog kernel: DROP INPUT: IN= WINDOW=8212 RES=0x00 ACK PSH URGP=0

And 

2022-04-06 14:52:49 some_server.domain.com DEBUG 5408 NT AUTHORITY\SYSTEM [API] s_ApiCreateKey(Dedup)

Both of these can use Syslog UDP/TCP Inputs.

If you looking to enhance your messages its possible to use GELF inputs but be aware this format will create a lot of fields. Of course you may need to send those logs in GELF format instead of Syslog format. Most if not all log shippers have modules/templates to accomplish this.

Example of Nxlog log shipper this is for GELF format using TCP/TLS.

<Extension _gelf>
    Module      xm_gelf
</Extension>

Then the output

<Output out>
    Module      om_ssl
    Host        graylog.domain.com
    Port        51411
    OutputType  GELF_TCP
    CertFile        /var/lib/nxlog/cert/graylog3-certificate.pem
    CertKeyFile     /var/lib/nxlog/cert/graylog3-key.pem
    CAFile          /var/lib/nxlog/cert/cert3.pem
    KeyPass         secret    
</Output>

As for Rsyslog.

To sum it up, If your satisfied with what you have now I would keep with Syslog UDP/TCP inputs that’s working for you. You may want to look into separating you devices on different input, just a suggestion. This way if you need to add a field on a specific device/s logs to execute a better search without effecting on devices logs format or just to see all the logs from just switch’s, Windows servers, etc…, and again just a suggestion.

You also have the option of using Raw/plaintext INPUTs. This works for almost anything that can send logs. Its kind of my go to INPUT for unique devices.

This all depends on what your objective is on what could/should be done.

Hope that helps

Hey there,
thanks that helps. I was just curious if there was a list of template fields.

But I’m fine with syslog UDP. I filter them with GROK extractors. :slight_smile: Thanks!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.