How to Send Ubuntu Logs to a Graylog Server
Graylog is a platform centralized log management system. It's one of the most popular log management systems in the DevOps world with multi-platform support and can be installed in a container environment such as Docker and Kubernetes.
As a log management system, Graylog supports multiple inputs for different types of applications and systems. You can use Syslog input for Unix-like operating systems, Windows EventLog for Windows systems, using GELF (Graylog Extended Log Format) for your custom applications.
In this tutorial, you will learn how to set send logs from the Ubuntu machine to the Graylog server. This demo uses the latest Ubuntu 22.04 machine as the client and the Graylog server v4.3. If you like to know how to set up a Graylog server on Debian 11, then have a look here.
- A Graylog server installed - This demo uses the Graylog v4.3 installed on the Debian server.
- An Ubuntu client machine - This dome uses Ubuntu 22.04 server.
- A non-root user with Sudo administrator privileges.
Setting Up Graylog Input
Before start configuring the Ubuntu client machine, you will need to set up the input on your Graylog server.
Graylog supports different types of inputs for the logging system, this includes the Syslog, Journald, Windows eventlog, Raw/Plaintext, files, etc.
For Linux systems, you can send logs to the Graylog server easily using the Syslog input. You just need to create an input on your Graylog server with the type Syslog and that will be running automatically on a specific port and IP address.
Open your web browser and visit your Graylog server installation (i.e http://graylog.hwdomain.io/). Log in to your Graylog server with the default user admin and your strong password.
Now click on the System menu and click Inputs, and you will get the new page.
On the drop-down inputs page, select the input type here "Syslog UDP" and click "Launch new input" button.
Now you will need to set up the Syslog input on the Graylog server:
- The Node here will be automatically selected, so leave it as default.
- Input the Title for your new input, for example, "Syslog Linux UDP".
- The bind-address here you can specify the IP address for your input. This can be the local IP address of your server or you can just use 0.0.0.0 to run the input on all IP addresses on the server.
- The port here you can use a different port for your input. Just be sure no other services are running on that port, and be sure the port is not in the range between 1-1024. In this demo, we are using the UDP port 5148.
Now click the Save button to confirm the input creation.
Now on the input page, you will see all available inputs that running on your Graylog server. In the below screenshot you can see the input "Syslog Linux UDP" is running on the UDP port 5148 with the bind-address 0.0.0.0, which means running on all IP addresses on the server.
Configure Ubuntu Client to Send Logs
Now it's time to configure the Ubuntu client machine for sending logs to the Graylog server. And this can be done by using the Rsyslog service.
First, connect to your Ubuntu machine using the ssh command below.
Check the Rsyslog package on the Ubuntu machine and make sure it's installed.
sudo dpkg -l | grep rsyslog
sudo apt info rsyslog
In the below screenshot, you can see the rsyslog package is installed by default. The "ii" on the field means installed.
Now verify the Rsyslog service using the below command.
sudo systemctl is-enabled rsyslog
sudo systemctl status rsyslog
You will see the rsyslog service is enabled, which means it will be automatically run on the system startup. And the current status of the rsyslog service is running.
To send logs from the Ubuntu client machine to the Graylog server using rsyslog, you will need to create a new additional rsyslog configuration. The default configuration of rsyslog is "/etc/rsyslog.conf" file, and additional rsyslog configuration can be stored at the "/etc/rsyslog.d" directory.
Create a new additional rsyslog configuration "/etc/rsyslog.d/60-graylog.conf" using nano editor.
sudo nano /etc/rsyslog.d/60-graylog.conf
Add the following configuration to the file.
Save and close the file when you are done.
The IP address is 192.168.5.10 here is the IP address of the Graylog server, which is running the inputs on the UDP port 5148.
Now restart the rsyslog service to apply new changes and new configuration using the below command.
sudo systemctl restart rsyslog
And you have completed the basic rsyslog configuration for sending logs to the Graylog server.
Checking Logs from Graylog Server
Now back to your web browser and the Graylog dashboard. Click on the Search menu on top and you will get all logs from the Ubuntu client machine as below.
From the Graylog search dashboard, you can filter log messages from your servers or applications, check log messages in real-time, check log messages from specific time frames, etc.
Congratulation! You have now successfully configured the Ubuntu client machine using the Rsyslog service for sending logs to the Graylog server. You have also learned the basic configuration of Graylog Inputs by creating a new Inputs type Syslog UDP on the Graylog server. Another way to send logs is by using the Syslog TCP, files, JSON, and beats from Elastic.