Graylog and Rsyslog.d – Collecting logs from a remote system into Graylog

Prerequisite:



Set up a basic Graylog Virtual Appliance from Graylog website

Easiest to download the OVA package and deploy it on the virtualization platform of your choice

You can follow the Getting Started document from Graylog’s website — they have great documentation —

https://docs.graylog.org/en/4.0/pages/getting_started/download_install.html

On Your Basic Graylog Virtual Appliance


Login through the Web Portal of Graylog Virtual Appliance
Add a new input – Syslog UDP – with the below configuration
Login page of Graylog Virtual Appliance


( Pay attention to port: 5514 ) Using a >1024 port number it will not give errors of not being able to bind to address/port )

Configure Title and Port
Syslog Server started



On Your Client machine :::

Create a new file with ending .conf at /etc/rsyslog.d/filename.conf


add the below line , replace the IP and Port appropriate for your environment and open Firewall Ports if required on both Client and Server end.

. @172.35.5.61:5514;RSYSLOG_SyslogProtocol23Format
Restart rsyslog.d service
# systemctl restart rsyslog.service
Confirm from the Client computer sending a TestABC123 with the below command:
# logger TestABC123

Result
TestABC123 appears in Graylog collected logs from remote computer over the network
Links

https://marketplace.graylog.org/addons/a47beb3b-0bd9-4792-a56a-33b27b567856

Leave a comment

Your email address will not be published. Required fields are marked *