Hi Nyanjau, as far as I see you didn't configure rsyslog to use SSL/TLS. Please refer to http://www.rsyslog.com/doc/v7-stable/tutorials/tls.html for details. Alternatively you can disable TLS in the Syslog TCP input in Graylog.
Additionally you don't need tot define the message templates in your rsyslog configuration twice. In fact, you can simply use the built-in template RSYSLOG_SyslogProtocol23Format, see http://docs.graylog.org/en/1.2/pages/sending_data.html#rsyslog. Cheers, Jochen On Tuesday, 24 November 2015 07:33:28 UTC+1, Nyanjau Kimani wrote: > > Morning Jochen, > > Thanks for your response. See below configuration details. Yes, indeed, I > am sending logs of the network devices to rsyslog which is running on the > graylog server which then sends to graylog. > > Graylog server Syslog TCP Input Definition > port: 1040 > tls_client_auth: disabled > override_source: > store_full_message: true > bind_address: my_graylogserver_ip > tls_cert_file: > tls_client_auth_cert_file: > recv_buffer_size: 1048576 > tls_key_password: ******* > max_message_size: 2097152 > tls_key_file: admin > > cat /etc/rsyslog.conf > #### MODULES #### > # The imjournal module bellow is now used as a message source instead of > imuxsock. > $ModLoad imuxsock # provides support for local system logging (e.g. via > logger command) > $ModLoad imjournal # provides access to the systemd journal > $ModLoad imklog # reads kernel messages (the same are read from journald) > $PreserveFQDN on > $ActionForwardDefaultTemplate RSYSLOG_ForwardFormat # for plain TCP and UDP > # Provides UDP syslog reception > $ModLoad imudp > $UDPServerRun 514 > > # Provides TCP syslog reception > $ModLoad imtcp > $InputTCPServerRun 514 > > #Formatting Messages with templates > $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% > %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% > %STRUCTURED-DATA% %msg%\n" > *.* @my_graylogserver_ip:1040;GRAYLOGRFC5424 > > $template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% > %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% > %STRUCTURED-DATA% %msg%\n" > *.* @@my_graylogserver_ip:1040;GRAYLOGRFC5424 > > > On Monday, November 23, 2015 at 1:55:40 PM UTC+3, Jochen Schalanda wrote: >> >> Hi Nyanjau, >> >> could you please post the configuration of your Syslog input in Graylog >> (System -> Inputs -> [the contents of the gray field]) and of your rsyslog >> daemon? >> >> And just to clarify: You're sending the logs of some network appliances >> (routers) to rsyslog which in turn sends those to Graylog? >> >> >> Cheers, >> Jochen >> >> On Wednesday, 18 November 2015 07:17:37 UTC+1, Nyanjau Kimani wrote: >>> >>> Hi Guys, >>> >>> I am running latest graylog v1.2.2, with graylog web 1.2.2 and >>> elasticsearch 1.7. I use rsyslog to send log information to graylog server. >>> I am receiving logs from the routers on my graylog inputs, but they are >>> displayed with the IP address and not the hostname. My routers have both A >>> and PTR records. I have tried the to add the PreserverFQDN command on the >>> rysylog server config file without achieving desired effect. >>> >>> Anyone who has successfully logged router and switch logs with graylog >>> 1.2.2 without having to use logstash to format the logs? >>> >>> Thanks. >>> >>> >>> Regards, >>> >>> Nyanjau. >>> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6ee316b1-4e68-4a3d-ace7-bce6d0d956dc%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
