Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/Graylog2/graylog-guide-syslog-linux

How to send syslog from Linux systems into Graylog
https://github.com/Graylog2/graylog-guide-syslog-linux

documentation graylog guide linux rsyslog syslog syslog-ng

Last synced: about 2 months ago
JSON representation

How to send syslog from Linux systems into Graylog

Host: GitHub
URL: https://github.com/Graylog2/graylog-guide-syslog-linux
Owner: Graylog2
License: apache-2.0
Created: 2015-11-30T11:54:06.000Z (almost 9 years ago)
Default Branch: master
Last Pushed: 2018-11-06T13:01:55.000Z (almost 6 years ago)
Last Synced: 2024-06-03T04:39:33.168Z (4 months ago)
Topics: documentation, graylog, guide, linux, rsyslog, syslog, syslog-ng
Size: 7.81 KB
Stars: 78
Watchers: 23
Forks: 15
Open Issues: 6
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

## Sending syslog from Linux systems into Graylog

The two most popular syslog deamons (the programs that run in the background to accept and write or forward logs) are [rsyslog](https://www.rsyslog.com/) and [syslog-ng](https://syslog-ng.com/). One of these will most likely be running on your Linux distribution.

Please refer to the documentation of your distribution if you are not sure about this.

### ⚠️ Warning ⚠️

**These instructions configure rsyslog and syslog-ng to send log messages _unencrypted_ over the network. This is generally not recommended on public networks.**

### rsyslog

Forwarding syslog messages with rsyslog is easy. The only important thing to get the most out of your logs is following
[RFC 5424](http://www.ietf.org/rfc/rfc5424.txt). The following examples configure your `rsyslog` daemon to send
RFC 5424 date to Graylog syslog inputs:

##### UDP:

*.* @graylog.example.org:514;RSYSLOG_SyslogProtocol23Format

##### TCP:

*.* @@graylog.example.org:514;RSYSLOG_SyslogProtocol23Format

(The difference between UDP and TCP is using `@` instead of `@@` as target descriptor.)

The above configuration should be placed as new file ending in .conf in `/etc/rsyslog.d/` and rsyslog should be restarted. In addition the port 514 on the Graylog server need to be reachable from the sending server.

### Old rsyslog
If you're using a very old version of rsyslog (versions before rsyslog 5.10) which doesn't provide the built-in [RSYSLOG_SyslogProtocol23Format](http://www.rsyslog.com/doc/v5-stable/configuration/templates.html#string-based-templates>) template, you can create a custom message template.

For **UDP** this becomes:

$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n"
*.* @graylog.example.org:514;GRAYLOGRFC5424

### syslog-ng

Configuring `syslog-ng` to send syslog to Graylog is equally simple. Use the `syslog` function to send
[RFC 5424](http://www.ietf.org/rfc/rfc5424.txt) formatted syslog messages via TCP to the remote Graylog host:

# Define TCP syslog destination.
destination d_net {
syslog("graylog.example.org" port(514));
};
# Tell syslog-ng to send data from source s_src to the newly defined syslog destination.
log {
source(s_src); # Defined in the default syslog-ng configuration.
destination(d_net);
};