SYSteen
  • Home
  • About
Home  /  How To's  /  Forward Rsyslog Logs to Graylog

Forward Rsyslog Logs to Graylog

SYSteen Founder May 03, 2017 How To's 1 Comment

If you use Graylog, you’ve probably wondered how to monitor Linux logs. Using the below procedure, you will be able to easily forward the exact logs that matter to you to Graylog. For more information about Graylog and how to install, follow this link: http://www.systeen.com/2016/05/12/install-graylog-2-0-centos-7-collect-windows-logs/

CREATE RSYSLOG CONFIG FILE

1- After installing rsyslog, create a new custom configuration file inside /etc/rsyslog.d folder:

vi /etc/rsyslog.d/graylog_syslog.conf

2- Add the following to  “graylog_syslog.conf” if you want to forward all syslog messages to Graylog:

$template GRAYLOGRFC5424,”<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n”
*.* @GRAYLOG_IP_HERE:PORT;GRAYLOGRFC5424

The above configuration will forward all syslog messages. To choose which syslog messages to forward, read below.

The following line (*.* @GRAYLOG_IP_HERE:PORT) is made up of 3 main parts:

GRAYLOG_IP_HERE = IP of the Graylog VM
PORT = Any port above 1000 . e.g. 1514

As for *.* , syslog messages are classified by facility and severity:

The first * (red) represents the facility used by rsyslog. For a list of facilities and their description:
https://wiki.gentoo.org/wiki/Rsyslog#Facility

The second * (blue) represents the severity of the message. For a list of severities:
https://wiki.gentoo.org/wiki/Rsyslog#Severity

e.g. for multiple filtering, separate by semicolon:

1
*.info;mail.none;authpriv.none;cron.none

TESTING RSYSLOG CONFIGURATION

Once you modify the rsyslog facility and severity you want to log, you can test your changes using the below command:
# logger -p facility.severity “TEST MESSAGE”

e.g.:
# logger -p daemon.emerg “This is a log message of facility daemon and severity emerg.”

ADDING GRAYLOG INPUT

To receive  logs on Graylog, add a new Input Source on Graylog:
Click on System -> Inputs . From the drop down choose Syslog UDP, then click on Launch new input.
Add a title and change the port number to match the one you specified earlier.

 

If you have any questions just leave a comment below and I’ll be happy to answer. You can also use the facebook page for a faster response.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on Google+ (Opens in new window)

Related

Tags: graylog, rsyslog
Previous Article
Next Article

About Author

SYSteen Founder

Tech savvy and explorer. With over 15 years of IT and Systems experience under his sleeves, SYSteen Founder decided to launch his own blog to fill in the gaps of the lack of robust tech how-to's online.

Related Posts

  • How to Install Nagios + Centreon + Nagvis on Debian 6

    July 19, 2017
  • Monitor IIS Application Pools Using PowerShell

    May 3, 2017
  • How to Install TeamPass 2.1 on CentOS 7

    December 16, 2016

1 Comment

  1. netacadlab Reply
    November 27, 2017 at 11:04 am

    Hi, I am having to trouble, all messages are being forwarded to Graylog server with the source IP of the syslog relay Server, how can I get rid of the relay server’s IP when messages are received on GRAYLOG server?

Leave a Reply Cancel reply

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Today's Poll

What Type of Content Would You Like to See More?

View Results

Loading ... Loading ...

Facebook Page

Facebook Page

SYSteen Calendar

May 2017
M T W T F S S
« Apr   Jul »
1234567
891011121314
15161718192021
22232425262728
293031  

Recent Posts

  • How to Install Nagios + Centreon + Nagvis on Debian 6 July 19, 2017
  • What Type of Content Would You Like to See More? May 4, 2017
  • Monitor IIS Application Pools Using PowerShell May 3, 2017
  • Forward Rsyslog Logs to Graylog May 3, 2017

Recent Comments

  • purnachander on Bash Script to Monitor CPU, Memory and Disk Usage on Linux
  • b123 on How to Install TeamPass 2.1 on CentOS 7
  • How to Install ownCloud on CentOS 7 - ngoprek.biz on How to Install ownCloud 9 on CentOS 7
  • ネットワーク機器監視・コンフィグ管理ツール RANCIDをCentos7.2へインストール – TECH1000 on Monitor Network Device Configurations with RANCID on CentOS 7
  • netacadlab on Forward Rsyslog Logs to Graylog

Archives

  • July 2017
  • May 2017
  • April 2017
  • December 2016
  • November 2016
  • September 2016
  • August 2016
  • May 2016
  • April 2016

Categories

  • General Articles
  • How To's
  • iOS Development
  • Life Strategies
  • SQL Server
  • Study & Work Music
  • Tips and Tricks
  • Uncategorized
Privacy & Cookies: This site uses cookies.
To find out more, as well as how to remove or block these, see here: Our Cookie Policy

Social Media

Recent Posts

  • How to Install Nagios + Centreon + Nagvis on Debian 6 July 19, 2017
  • What Type of Content Would You Like to See More? May 4, 2017
  • Monitor IIS Application Pools Using PowerShell May 3, 2017
  • Forward Rsyslog Logs to Graylog May 3, 2017