Windows Log ingestion into graylog server

Yeah, there are 2 other logs. One for sidecar and one for collector i believe.

hi,

check if there are errors in the graylog’s log file. There could be some error messages relevant to this. As the logs are received in the beats input but the messages are not seen, it is possible that the log format is problematic. Check e.g. that the timestamp field is in the right format. If necessary, create an extractor for the input that reformats the timestamp.

hi, which logs to look for on graylog server and what is the log location.

hi, where are the logs located on the graylog server. I tried to look under /var/log/ directory but don’t know which logs to check.

See http://docs.graylog.org/en/2.2/pages/configuration/file_location.html for the specific file locations.

doesn’t look like it’s readable logs or am i at incorrect location?
Imgur

current is the log you are looking for.

This is what i get in the current log.
Imgur

These logs are created by runit/svlogd, see http://smarden.org/runit/svlogd.8.html and http://www.techrepublic.com/blog/linux-and-open-source/log-linux-services-with-runit/ for details.

so no native logs for graylog, we need to configure svlogd to capture graylogs, is it?

What do you mean with “no native logs”?

i mean just like i can see collector/filebeat logs on the end point with ease, i am not able to find/see the logs on graylog server.

For different reasons, it’s not quite useful to send the logs of Graylog to Graylog itself (at least not as the only target).

Just think about the case where Graylog or Elasticsearch are broken and new messages aren’t indexed anymore. How would you try to find the cause for this if you don’t have access to the logs of Graylog?

This being said, there’s a plugin to record the internal logs of Graylog: https://marketplace.graylog.org/addons/f6860ca4-532f-4e94-ae8e-c3655c508c52

1 Like