[syslog-ng] Verifying local logs and remote logs are being sent to destination graylog

Rodney Bizzell hardworker30 at gmail.com
Mon Nov 19 21:39:21 UTC 2018


So I made the changes to syslog-ng config for graylog destination
configuration and started the debug mode again hopped on another terminal
and ran logger command with a test message but I still see nothing getting
into my graylog server.  I am uploading the debug file again to see if
there is something I am missing. On my graylog side. I have inputs setup
Syslog I have Gelf input setup as well

On Wed, Nov 14, 2018 at 1:31 PM PÁSZTOR György <
pasztor at linux.gyakg.u-szeged.hu> wrote:

> Hi,
>
> I took a look at your debug bundle.
>
> As far as I see the pcap file, tcp communication happens, but it's not
> graylog's "protocol", it's the legacy rfc3164.
> Unless graylog expecting legacy protocol, that's not correct.
> Then I spotted this:
>
> "Rodney Bizzell" <hardworker30 at gmail.com> írta 2018-11-12 14:59-kor:
> > destination d_graylog {
> > tcp("hostname of Graylog server"
> > port (12201)
> > );
> > };
>
> This configures a legacy tcp destination. It won't format the messages for
> gelf.
> At least in case of graylog, the best choice for protocol would be gelf.
> The correct configuration for gelf destination would be:
> destination d_graylog {
>   graylog2( host("hostname of Graylog server") );
> };
>
> Or if you want something more detailed or specific stuff, then you can use
> this:
> destination d_graylog {
>   network(
>     "hostname of Graylog server"
>     port(12201)
>     transport(tcp)
>     template("$(format-json --scope all-nv-pairs)\n")
>   );
> };
>
> Of course, if gelf destination expects zero terminated strings, than you
> can replace the \n to \0 at the end of the template string.
>
> Regards,
> Gyu
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20181119/a093ab08/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: syslog.debun.tgz
Type: application/gzip
Size: 53343 bytes
Desc: not available
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20181119/a093ab08/attachment-0001.bin>


More information about the syslog-ng mailing list