Morning Jochen,
Thanks for your response. See below configuration details. Yes, indeed, I
am sending logs of the network devices to rsyslog which is running on the
graylog server which then sends to graylog.
Graylog server Syslog TCP Input Definition
port: 1040
tls_client_auth: disabled
override_source:
store_full_message: true
bind_address: my_graylogserver_ip
tls_cert_file:
tls_client_auth_cert_file:
recv_buffer_size: 1048576
tls_key_password: *******
max_message_size: 2097152
tls_key_file: admin
cat /etc/rsyslog.conf
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of
imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via
logger command)
$ModLoad imjournal # provides access to the systemd journal
$ModLoad imklog # reads kernel messages (the same are read from journald)
$PreserveFQDN on
$ActionForwardDefaultTemplate RSYSLOG_ForwardFormat # for plain TCP and UDP
# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
#Formatting Messages with templates
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION%
%TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
%STRUCTURED-DATA% %msg%\n"
*.* @my_graylogserver_ip:1040;GRAYLOGRFC5424
$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION%
%TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID%
%STRUCTURED-DATA% %msg%\n"
*.* @@my_graylogserver_ip:1040;GRAYLOGRFC5424
On Monday, November 23, 2015 at 1:55:40 PM UTC+3, Jochen Schalanda wrote:
>
> Hi Nyanjau,
>
> could you please post the configuration of your Syslog input in Graylog
> (System -> Inputs -> [the contents of the gray field]) and of your rsyslog
> daemon?
>
> And just to clarify: You're sending the logs of some network appliances
> (routers) to rsyslog which in turn sends those to Graylog?
>
>
> Cheers,
> Jochen
>
> On Wednesday, 18 November 2015 07:17:37 UTC+1, Nyanjau Kimani wrote:
>>
>> Hi Guys,
>>
>> I am running latest graylog v1.2.2, with graylog web 1.2.2 and
>> elasticsearch 1.7. I use rsyslog to send log information to graylog server.
>> I am receiving logs from the routers on my graylog inputs, but they are
>> displayed with the IP address and not the hostname. My routers have both A
>> and PTR records. I have tried the to add the PreserverFQDN command on the
>> rysylog server config file without achieving desired effect.
>>
>> Anyone who has successfully logged router and switch logs with graylog
>> 1.2.2 without having to use logstash to format the logs?
>>
>> Thanks.
>>
>>
>> Regards,
>>
>> Nyanjau.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/82739028-7a4f-46b3-b9e2-a156511d5f23%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
