[syslog-ng] Verifying local logs and remote logs are being sent to destination graylog

PÁSZTOR György pasztor at linux.gyakg.u-szeged.hu
Wed Nov 14 18:30:57 UTC 2018


I took a look at your debug bundle.

As far as I see the pcap file, tcp communication happens, but it's not
graylog's "protocol", it's the legacy rfc3164.
Unless graylog expecting legacy protocol, that's not correct.
Then I spotted this:

"Rodney Bizzell" <hardworker30 at gmail.com> írta 2018-11-12 14:59-kor:
> destination d_graylog {
> tcp("hostname of Graylog server"
> port (12201)
> );
> };

This configures a legacy tcp destination. It won't format the messages for
At least in case of graylog, the best choice for protocol would be gelf.
The correct configuration for gelf destination would be:
destination d_graylog {
  graylog2( host("hostname of Graylog server") );

Or if you want something more detailed or specific stuff, then you can use
destination d_graylog {
    "hostname of Graylog server"
    template("$(format-json --scope all-nv-pairs)\n")

Of course, if gelf destination expects zero terminated strings, than you
can replace the \n to \0 at the end of the template string.


More information about the syslog-ng mailing list