If you use Graylog, you’ve probably wondered how to monitor Linux logs. Using the below procedure, you will be able to easily forward the exact logs that matter to you to Graylog. For more information about Graylog and how to install, follow this link: http://www.systeen.com/2016/05/12/install-graylog-2-0-centos-7-collect-windows-logs/
CREATE RSYSLOG CONFIG FILE
1- After installing rsyslog, create a new custom configuration file inside /etc/rsyslog.d folder:
vi /etc/rsyslog.d/graylog_syslog.conf
2- Add the following to “graylog_syslog.conf” if you want to forward all syslog messages to Graylog:
$template GRAYLOGRFC5424,”<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n”
*.* @GRAYLOG_IP_HERE:PORT;GRAYLOGRFC5424
The above configuration will forward all syslog messages. To choose which syslog messages to forward, read below.
The following line (*.* @GRAYLOG_IP_HERE:PORT) is made up of 3 main parts:
GRAYLOG_IP_HERE = IP of the Graylog VM
PORT = Any port above 1000 . e.g. 1514
As for *.* , syslog messages are classified by facility and severity:
The first * (red) represents the facility used by rsyslog. For a list of facilities and their description:
https://wiki.gentoo.org/wiki/Rsyslog#Facility
The second * (blue) represents the severity of the message. For a list of severities:
https://wiki.gentoo.org/wiki/Rsyslog#Severity
e.g. for multiple filtering, separate by semicolon:
1 |
*.info;mail.none;authpriv.none;cron.none |
TESTING RSYSLOG CONFIGURATION
Once you modify the rsyslog facility and severity you want to log, you can test your changes using the below command:
# logger -p facility.severity “TEST MESSAGE”
e.g.:
# logger -p daemon.emerg “This is a log message of facility daemon and severity emerg.”
ADDING GRAYLOG INPUT
To receive logs on Graylog, add a new Input Source on Graylog:
Click on System -> Inputs . From the drop down choose Syslog UDP, then click on Launch new input.
Add a title and change the port number to match the one you specified earlier.
If you have any questions just leave a comment below and I’ll be happy to answer. You can also use the facebook page for a faster response.
Tags: graylog, rsyslog
Hi, I am having to trouble, all messages are being forwarded to Graylog server with the source IP of the syslog relay Server, how can I get rid of the relay server’s IP when messages are received on GRAYLOG server?