Logs from var logs

On Tue, Nov 6, 2018, 1:03 AM Péter, Kókai <peter.kokai@oneidentity.com wrote:
Hello,

Please do not assume we know about default configuration, as we do not know the source of your packages. (of course I could guess, but assumption are mostly source of errors)

Yes with **log** you can and should connect source and destination - just like in your e-mail.

Could you please be more specific about what you mean by local logs ? Logs from journal (if you have systemd), logs from files (/var/log/...) ?

A good bet would be the **system** source, that should detect the system and choose the appropriate method to collect the host logs.
See: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.18/administration-guide/25#TOPIC-1043976


I would suggest for you to break up your debugging process:
* Verify if you could send logs to graylog (I think this was done)
* Verify if you could collect local logs (for example print those logs into a file instead of graylog)

If the above two are okay, you can connect them with a log and should work.


--
Kokan

On Mon, Nov 5, 2018 at 9:55 PM Rodney Bizzell <hardworker30@gmail.com> wrote:
Do I need to do something like this?

# Define TCP syslog destination.
destination d_net {
    syslog("graylog.example.org" port(514));
};
# Tell syslog-ng to send data from source s_src to the newly defined syslog destination.
log {
    source(s_src); # Defined in the default syslog-ng configuration.
    destination(d_net);
};
syslog server not sending local logs to graylog

On Mon, Nov 5, 2018 at 2:32 PM Péter, Kókai <peter.kokai@oneidentity.com> wrote:
Dear Rodney Bizzell,

I would kindly ask you to either start a new thread or reply to with a relevant information in the mailing list. Otherwise it is really hard to send follow up to your and others questions.

As to per your question. Probably you want to forward your other logs to where syslog-ng is running :) and configure syslog-ng to receive those other logs, and connect the destination that already can send to graylog with the source that can and does receive other logs.

In practice:

@version: 3.18
@include "scl.conf"

source my_s { default-network-driver(); };

destination graylog { #graylog destination
};

log {  source(my_s); destination(graylog); }; 

I hope this helps.

Best regards,
Peter Kokai

On Mon, Nov 5, 2018 at 7:52 PM Rodney Bizzell <hardworker30@gmail.com> wrote:
I got syslog to send and echo test message from syslog server to my graylog box. How do I ensure that my syslog box will send other servers logs to my graylog box through my syslog server. I am going to setup ipvsadm as load-balancer to point my legacy application to my syslog server and then they should get shipped through to graylog. Any information is greatly appreciated
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq

______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.balabit.com/wiki/syslog-ng-faq