How to send Debian logs to a Graylog server
Graylog is a leading centralized log management solution for capturing, storing, and enabling real-time analysis of terabytes of machine data. It’s one of the most famous log management systems in the DevOps world with multi-platform support and can be installed in a container environment such as Docker and Kubernetes.
Graylog supports multiple inputs for different types of applications and systems. You can use Syslog input for your custom applications for Unix-like operating systems, Windows EventLog for Windows systems, and GELF (Graylog Extended Log Format).
Step 1. Setting up Graylog Input
Before configuring the Debian server, you must set up the input on your Graylog server.
You can send logs to the Graylog server for Linux systems easily using the Syslog input. You need to create an input on your Graylog server with the Syslog type that will run automatically on a specific port and IP address.
Open your web browser and visit your Graylog server installation (i.e., http://graylog.localhost/). Log in to your Graylog server with the default user admin and strong password.
Now click on the System menu and click Inputs, and you will get the new page.
On the drop-down inputs page, select the input type “Syslog UDP” and click the “Launch new input” button.
Now, you will need to set up the Syslog input on the Graylog server:
1. The Node here will be automatically selected, so leave it as default.
2. Input the Title for your new input, for example, “Syslog UDP.”
3. For the bind address, you can specify the IP address for your input. This can be the local IP address of your server, or you can use 0.0.0.0 to run the input on all IP addresses on the server.
4. The port here you can use a different port for your input. Just be sure no other services are running on that port, and be sure the port is not in the range between 1-1024. In this demo, we are using the UDP port 5140.
Now click the Launch input button to confirm the input creation.
Now, on the input page, you will see all available inputs running on your Graylog server. In the screenshot below, you can see the input “Syslog Linux UDP” is running on UDP port 5140 with the bind address 0.0.0.0, which means it runs on all IP addresses on the server.
Step 2. Configure the Debian server to send logs to the Graylog server
Now, it’s time to configure the Debian server to send logs to the Graylog server. This can be done by using the Rsyslog service.
First, connect to your Debian server using the ssh command below.
ssh root@server-ip
Install the Rsyslog package on the Debian server.
apt-get install rsyslog
Now verify the Rsyslog service using the below command.
systemctl is-enabled rsyslog
systemctl status rsyslog
The rsyslog service is enabled, so it will automatically run on the system startup. And the current status of the rsyslog service is running.
To send logs from the Debian server to the Graylog server using rsyslog, you must create a new additional rsyslog configuration. The default configuration of rsyslog is “/etc/rsyslog.conf” file, and additional rsyslog configuration can be stored in the “/etc/rsyslog.d” directory.
Create a new additional rsyslog configuration “/etc/rsyslog.d/60-graylog.conf” using nano editor.
nano /etc/rsyslog.d/60-graylog.conf
Add the following configuration to the file.
*.*@10.110.0.3:5140;RSYSLOG_SyslogProtocol23Format
Save and close the file when you are done.
The IP address is 10.110.0.3. Here is the Graylog server’s IP address, which runs the inputs on the UDP port 5140.
Now restart the rsyslog service to apply new changes and configuration using the below command.
systemctl restart rsyslog
And you have completed the basic rsyslog configuration for sending logs to the Graylog server.
Step 3. Checking logs from Graylog Server
Now, back to your web browser and the Graylog dashboard. Click on the search menu at the top to get all logs from the Debian server as below.
From the Graylog search dashboard, you can filter log messages from your servers or applications, check log messages in real-time, from specific time frames, etc.
Congratulation! You have now successfully configured the Debian server using the Rsyslog service to send logs to the Graylog server. You have also learned the basic configuration of Graylog Inputs by creating a new Inputs type Syslog UDP on the Graylog server.