Home  /  How To's  /  Forward Rsyslog Logs to Graylog

Forward Rsyslog Logs to Graylog

How To's 4 Comments

If you use Graylog, you’ve probably wondered how to monitor Linux logs. Using the below procedure, you will be able to easily forward the exact logs that matter to you to Graylog. For more information about Graylog and how to install, follow this link: http://www.systeen.com/2016/05/12/install-graylog-2-0-centos-7-collect-windows-logs/

CREATE RSYSLOG CONFIG FILE

1- After installing rsyslog, create a new custom configuration file inside /etc/rsyslog.d folder:

vi /etc/rsyslog.d/graylog_syslog.conf

2- Add the following to  “graylog_syslog.conf” if you want to forward all syslog messages to Graylog:

$template GRAYLOGRFC5424,”<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n”
*.* @GRAYLOG_IP_HERE:PORT;GRAYLOGRFC5424

The above configuration will forward all syslog messages. To choose which syslog messages to forward, read below.

The following line (*.* @GRAYLOG_IP_HERE:PORT) is made up of 3 main parts:

GRAYLOG_IP_HERE = IP of the Graylog VM
PORT = Any port above 1000 . e.g. 1514

As for *.* , syslog messages are classified by facility and severity:

The first * (red) represents the facility used by rsyslog. For a list of facilities and their description:
https://wiki.gentoo.org/wiki/Rsyslog#Facility

The second * (blue) represents the severity of the message. For a list of severities:
https://wiki.gentoo.org/wiki/Rsyslog#Severity

e.g. for multiple filtering, separate by semicolon:

TESTING RSYSLOG CONFIGURATION

Once you modify the rsyslog facility and severity you want to log, you can test your changes using the below command:
# logger -p facility.severity “TEST MESSAGE”

e.g.:
# logger -p daemon.emerg “This is a log message of facility daemon and severity emerg.”

ADDING GRAYLOG INPUT

To receive  logs on Graylog, add a new Input Source on Graylog:
Click on System -> Inputs . From the drop down choose Syslog UDP, then click on Launch new input.
Add a title and change the port number to match the one you specified earlier.

 

If you have any questions just leave a comment below and I’ll be happy to answer. You can also use the facebook page for a faster response.

Tags: ,

About Author

SYSteen Founder

Tech savvy and explorer. With over 15 years of IT and Systems experience under his sleeves, SYSteen Founder decided to launch his own blog to fill in the gaps of the lack of robust tech how-to's online.

Related Posts

4 Comments

  1. netacadlab Reply
    November 27, 2017 at 11:04 am

    Hi, I am having to trouble, all messages are being forwarded to Graylog server with the source IP of the syslog relay Server, how can I get rid of the relay server’s IP when messages are received on GRAYLOG server?

  2. pasupuleti seshagiri Reply
    May 8, 2018 at 4:24 pm

    completed graylog server configuration. Completed rsyslog configuration as you said but unable to receive messages in GUI. Instead of that, the output will be “Couldnot Execute search, there was an error executing your search. Please check your Graylog server logs for more information.

  3. Aaron Axvig Reply
    September 21, 2018 at 8:28 pm

    The smart-quotes in the template definition will cause that to not work if you copy and paste it. Just to save someone some time in the future!

Leave a Reply