Sending Linux Syslogs to Graylog Server

DevOps TalksDevOps Talks
4 min read

Table of contents

In the previous blog, we talked about Graylog and its important properties. We have also talked about how to install Graylog locally and get started.

Here is the link for that blog, https://saumyapandey.hashnode.dev/getting-started-with-graylog

In this blog, we will learn how can we send syslog from a Linux machine to a Graylog server.

I have already provided the details of installing Graylog in the previous blog so I will start by opening the dashboard in the browser.

  1. Start the docker-compose file :

    To access Graylog first start the docker-compose file using docker-compose up or docker-compose up -d

  2. Accessing Graylog Dashboard :

    To access the Graylog dashboard go to your browser and enter the URL http://localhost:9000/ . Once done there will be a prompt to enter a username and password like this.

    Enter admin as user-name and the default password will be yourpassword or if you have changed the password while setting the .env file you can enter that password.

  3. Creating a new input :

    Once logged in You will land on Search page by default, if not you can move to this one which is pretty straight forward .

    Then move to System tab from the above tab, and select Inputs there.

After selecting Inputs from the above list, you need to create a new input. Click on Select input option and then move to Syslog UDP and select it. And then Click on Launch new input. Currently, we are targeting UDP Syslog.

  1. Launching a new Input

    After clicking Launch new Input button you will get a prompt like this :

  • Here you need to check Global check box

  • Then you can fill the Title input box for creating a name for your new input. I have named it linux-syslog .

  • By default Bind address will be 0.0.0.0 . Leave it like that.

  • Mention the Port number in Port input box. I have given it 5140. You can check it in the docker-compose file, in the list of open ports. From the below image, you can see the list of open ports.

  • Then leave the rest of the inputs as it is and click on Launch input at the end.

  • You will see Linuz Syslog has been launched with running status under Global inputs.

  1. Set up a .conf file for Graylog

Go to your terminal and create graylog.conf file under rsyslog.d folder

Add this line in your graylog.conf file and change the Ip-address with your Ip address. We are using port numbers as 5140 or UDP syslog.

*.*@172.16.10.51:5140;RSYSLOG_SyslogProtocol23Format

Let's break down this syslog forwarding configuration:

  • The first part "." represents the Syslog facility and severity levels that will be forwarded. In this case, the asterisk symbol (*) denotes that all facilities and severities will be included. This means that all log messages generated by the local system will be sent to the remote system.

  • The "@" symbol indicates that the following string is the hostname or IP address of the remote system that will receive the forwarded logs.

  • "172.16.10.51" is the IP address of the remote system that will receive the logs.

  • ":5140" is the port number on the remote system where the Syslog messages will be received. In this case, port number 5140 is being used.

  • ";RSYSLOG_SyslogProtocol23Format" specifies the format of the syslog messages being sent. This is an optional parameter that is used to specify the Syslog protocol format. In this case, the RSYSLOG_SyslogProtocol23Format specifies that the syslog protocol version 23 format will be used. This format includes additional metadata such as the hostname, timestamp, and facility level, which can be used to better analyze the logs.

If you want to use TCP then change that line as below:

*.*@@172.16.10.51:5140;RSYSLOG_SyslogProtocol23Format

The difference between UDP and TCP is using @ instead of @@ as target descriptor.

  1. Restart rsyslog service:

    Finally, we need to restart rsyslog service:

     systemctl restart rsyslog

We have finished the configuration on the Linux server. Now we can move to the Graylog server and check out our Search Page . We will be able to see logs popping up on our server.

You can explore these dashboard logs and different options. That's all for this blog.

RESOURCES TO EXPLORE :

11
Subscribe to my newsletter

Read articles from DevOps Talks directly inside your inbox. Subscribe to the newsletter, and don't miss out.

graylogWeMakeDevsloggingDevops

Written by

DevOps Talks
DevOps Talks

Hey there, I'm the DevOps wizard with a passion for automating everything in sight. When I'm not knee-deep in code, I love to explore the latest tech trends and listen to my favorite tunes. With my keen attention to detail and problem-solving skills, I'm the go-to person for any infrastructure challenge or automation.