<div dir="auto">I am going to make the changes and post what I did</div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 6, 2018, 6:22 AM Péter, Kókai <<a href="mailto:peter.kokai@oneidentity.com">peter.kokai@oneidentity.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>Okay, how did you tried to collect those logs ? (like file, wildcard-file)</div><div><br></div><div>--</div><div>Kokan</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 6, 2018 at 10:17 AM Rodney Bizzell <<a href="mailto:hardworker30@gmail.com" target="_blank" rel="noreferrer">hardworker30@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto">Logs from var logs</div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 6, 2018, 1:03 AM Péter, Kókai <<a href="mailto:peter.kokai@oneidentity.com" target="_blank" rel="noreferrer">peter.kokai@oneidentity.com</a> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>Please do not assume we know about default configuration, as we do not know the source of your packages. (of course I could guess, but assumption are mostly source of errors)</div><div><br></div><div>Yes with **log** you can and should connect source and destination - just like in your e-mail.</div><div><br></div><div>Could you please be more specific about what you mean by local logs ? Logs from journal (if you have systemd), logs from files (/var/log/...) ?</div><div><br></div><div>A good bet would be the **system** source, that should detect the system and choose the appropriate method to collect the host logs.</div><div>See: <a href="https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.18/administration-guide/25#TOPIC-1043976" rel="noreferrer noreferrer" target="_blank">https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.18/administration-guide/25#TOPIC-1043976</a></div><div><br></div><div><br></div><div>I would suggest for you to break up your debugging process:</div><div>* Verify if you could send logs to graylog (I think this was done)</div><div>* Verify if you could collect local logs (for example print those logs into a file instead of graylog)</div><div><br></div><div>If the above two are okay, you can connect them with a log and should work.</div><div><br></div><div><br></div><div>--</div><div>Kokan</div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 5, 2018 at 9:55 PM Rodney Bizzell <<a href="mailto:hardworker30@gmail.com" rel="noreferrer noreferrer" target="_blank">hardworker30@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Do I need to do something like this?<div><br></div><div><pre style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:13.6px;margin-top:0px;background-color:rgb(246,248,250);border-radius:3px;line-height:1.45;overflow:auto;padding:16px;color:rgb(36,41,46);margin-bottom:0px"><code style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:13.6px;background:initial;border-radius:3px;margin:0px;padding:0px;border:0px;word-break:normal;display:inline;line-height:inherit;overflow:visible"># Define TCP syslog destination.
destination d_net {
    syslog("<a href="http://graylog.example.org" rel="noreferrer noreferrer" target="_blank">graylog.example.org</a>" port(514));
};
# Tell syslog-ng to send data from source s_src to the newly defined syslog destination.
log {
    source(s_src); # Defined in the default syslog-ng configuration.
    destination(d_net);
};</code></pre><pre style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:13.6px;margin-top:0px;background-color:rgb(246,248,250);border-radius:3px;line-height:1.45;overflow:auto;padding:16px;color:rgb(36,41,46);margin-bottom:0px"><code style="box-sizing:border-box;font-family:SFMono-Regular,Consolas,"Liberation Mono",Menlo,Courier,monospace;font-size:13.6px;background:initial;border-radius:3px;margin:0px;padding:0px;border:0px;word-break:normal;display:inline;line-height:inherit;overflow:visible">syslog server not sending local logs to graylog</code></pre></div><br><div class="gmail_quote"></div></div><div dir="ltr"><div class="gmail_quote"><div dir="ltr">On Mon, Nov 5, 2018 at 2:32 PM Péter, Kókai <<a href="mailto:peter.kokai@oneidentity.com" rel="noreferrer noreferrer" target="_blank">peter.kokai@oneidentity.com</a>> wrote:<br></div></div></div><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Dear Rodney Bizzell,<div><br></div><div>I would kindly ask you to either start a new thread or reply to with a relevant information in the mailing list. Otherwise it is really hard to send follow up to your and others questions.</div><div><br></div><div>As to per your question. Probably you want to forward your other logs to where syslog-ng is running :) and configure syslog-ng to receive those other logs, and connect the destination that already can send to graylog with the source that can and does receive other logs.</div><div><br></div><div>In practice:</div><div><br></div><div>@version: 3.18</div><div>@include "scl.conf"</div><div><br></div><div>source my_s { default-network-driver(); };</div><div><br></div><div>destination graylog { #graylog destination</div><div>};</div><div><br></div><div>log {  source(my_s); destination(graylog); }; </div><div><br></div><div>I hope this helps.</div><div><br></div><div>Best regards,</div><div>Peter Kokai</div><br><div class="gmail_quote"><div dir="ltr">On Mon, Nov 5, 2018 at 7:52 PM Rodney Bizzell <<a href="mailto:hardworker30@gmail.com" rel="noreferrer noreferrer" target="_blank">hardworker30@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I got syslog to send and echo test message from syslog server to my graylog box. How do I ensure that my syslog box will send other servers logs to my graylog box through my syslog server. I am going to setup ipvsadm as load-balancer to point my legacy application to my syslog server and then they should get shipped through to graylog. Any information is greatly appreciated</div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>