Step 1:
Access http://[your-graylog-server]:[portNumber]/system/inputs to obtain this info such as show in this example:
Syslog_UDP Syslog UDP 1 RUNNING
allow_override_date: true
bind_address: 10.10.10.100
expand_structured_data: false
force_rdns: false
number_worker_threads: 4
override_source: <empty>
port: 514
recv_buffer_size: 1048576
store_full_message: false
Step 2:
Configure the Linux client (CentOS 8 is used in this illustration)
# Check whether rsyslog exists and is running:
[root@linuxbox ~]# systemctl status rsyslog
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2018-12-16 23:49:45 PST; 17h ago
Docs: man:rsyslogd(8)
Main PID: 1230 (rsyslogd)
Tasks: 3 (limit: 48547)
Memory: 100.6M
CGroup: /system.slice/rsyslog.service
└─1230 /usr/sbin/rsyslogd -n
# Configure syslog:
# Check whether there are existing configs
[root@linuxbox ~]# ls /etc/rsyslog.d
# empty output would mean that there're no existing configurations
# Add a config file
graylogServer=your-graylog-server
port=514 # this port is default and may not be correct unless verified
protocol=udp # access http://your-graylog-server:9000/system/inputs to obtain this info
configFile=/etc/rsyslog.d/greylog.conf
if [$protocol == udp]
then
prefix=@
else
prefix=@@
fi
echo "*.* $prefix$graylogServer:$port;RSYSLOG_SyslogProtocol23Format"
cat << EOF > $configFile
*.* $prefix$graylogServer:$port;RSYSLOG_SyslogProtocol23Format
EOF
cat $configFile
# Restart rsyslog to realize changes
systemctl restart rsyslog
Categories: