Graylog makes it easy to send syslog information from clients to the hosting server. Jack Wallen shows you how.
You’ve installed the Graylog system log manager to keep tabs on all of those Linux log files. It’s a great way to monitor various security layers and systems on the Linux servers in your data center. Out of the box, it’s going to do a great job of helping you monitor the logs on the server it’s installed on.
But what about those other servers?
Fortunately, Graylog makes it fairly painless to add remote servers to the list of machines to monitor. I’m going to show you how to do just that.
What you’ll need
- A Linux server hosting Graylog
- Some Linux clients to add
SEE: Identity theft protection policy (TechRepublic Premium)
How to configure Graylog to accept incoming syslog entries
We’re going to set up Graylog to accept syslog entries. Log in to your Graylog server and click System/Inputs. From the resulting window, select Syslog UDP from the Select Input drop-down (Figure A).
Figure A
Click Launch New Input and fill out the following information (Figure B):
Figure B
Once you’ve filled out that information, click Save. Now we need to configure our clients.
How to configure your Linux clients to sent syslog information
Now that Graylog is accepting syslog information, we need to configure our clients to send the information. To do that, SSH into a different Linux server (one you want to have send syslog details to Graylog) and create a new rsyslog configuration file with the command:
sudo nano /etc/rsyslog.d/90-graylog.conf
In that file, paste the following:
*.* @SERVER:5140;RSYSLOG_SyslogProtocol23Format
Where SERVER is the IP address of your Graylog server.
Save and close the file. Restart rsyslog with the command:
sudo systemctl restart rsyslog
How to view syslog entries on Graylog
If you go back to your Graylog server and click Search, you should see listings of all syslog entries from the newly-added client. Click one of the entries in the bottom pane and you can view the entry (Figure C).
Figure C
And that’s all there is to adding a client to Graylog. Having syslog information sent to the Graylog server will give you plenty of information for you to start combing through.