Return to
Portfolio

62. Graylog

Graylog is a popular open source log management tool with a GUI that uses Elasticsearch as a backend. It provides centralized log collection, analysis, searching, visualization, and alerting features. NXLog can be configured as a collector for Graylog, using one of the output writers provided by the xm_gelf module. In such a setup, NXLog acts as a forwarding agent on the client machine, sending messages to a Graylog node.

See the Graylog documentation for more information about configuring and using Graylog.

62.1. Configuring GELF UDP Collection

  1. In the Graylog web interface, go to System  Inputs.

  2. Select input type GELF UDP and click the Launch new input button.

  3. Select the Graylog node for your input or make it global. Provide a name for the input in the Title textbox. Change the default port if needed. Use the Bind address option to limit the input to a specific network interface.

    Graylog UDP input configuration, screen 1

  4. After saving, the input will appear shortly.

    Graylog UDP input configuration, screen 2
Example 267. Sending GELF via UDP

This configuration loads the xm_gelf extension module and uses the GELF_UDP output writer to send GELF messages via UDP.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15


  
<Extension _gelf>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_file
    File        "/var/log/messages"
</Input>

<Output out>
    Module      om_udp
    Host        127.0.0.1
    Port        12201
    OutputType  GELF
</Output>

62.2. Configuring GELF TCP or TCP/TLS Collection

  1. In the Graylog web interface, go to System  Inputs.

  2. Select input type GELF TCP and click the Launch new input button.

  3. Select the Graylog node for your input or make it global. Provide a name for the input in the Title textbox. Change the default port if needed. Use the Bind address option to limit the input to a specific network interface.

    Graylog TCP input configuration, screen 1

  4. To use TLS configuration, provide the TLS cert file and the TLS private key file (a password is required if the private key is encrypted). Check Enable TLS.

    Graylog TLS input configuration

  5. After saving, the input will appear shortly.

    Graylog TCP input configuration, screen 2
Example 268. Sending GELF via TCP

This configuration loads the xm_gelf extension module and uses the GELF_TCP output writer to send GELF messages via TCP.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15


  
<Extension _gelf>
    Module      xm_gelf
</Extension>

<Input in>
    Module      im_file
    File        "/var/log/messages"
</Input>

<Output out>
    Module      om_tcp
    Host        127.0.0.1
    Port        12201
    OutputType  GELF_TCP
</Output>
Example 269. Sending GELF via TCP/TLS

This configuration loads the xm_gelf extension module and uses the GELF_TCP output writer with the om_ssl module to send GELF messages via TLS encrypted connection.

nxlog.conf [Download file]

  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17


  
<Extension _gelf>
    Module          xm_gelf
</Extension>

<Input in>
    Module          im_file
    File            "/var/log/messages"
</Input>

<Output out>
    Module          om_ssl
    Host            127.0.0.1
    Port            12201
    CertFile        %CERTDIR%/graylog.crt
    AllowUntrusted  TRUE
    OutputType      GELF_TCP
</Output>

62.3. Collector Sidecar Configuration

Graylog Collector Sidecar is a lightweight configuration management system for different log collectors. It can be used to manage NXLog from the Graylog console. It supports GELF output via UDP, TCP, and TCP/TLS. The main advantage of using Sidecar is that everything is orchestrated from a single Graylog console.

  1. Stop and disable the NXLog system service, as the NXLog process will be managed by Graylog. Install and configure the collector sidecar for the target system. The details can found in the Graylog Collector Sidecar documentation.

    collector_sidecar.yml
    server_url: http://10.0.2.2:9000/api/
update_interval: 30
tls_skip_verify: true
send_status: true
list_log_files:
  - /var/log
node_id: graylog-collector-sidecar
collector_id: file:/etc/graylog/collector-sidecar/collector-id
log_path: /var/log/graylog/collector-sidecar
log_rotation_time: 86400
log_max_age: 604800
tags:
  - linux
  - apache
  - redis
backends:
    - name: nxlog
      enabled: true
      binary_path: /usr/bin/nxlog
      configuration_path: /etc/graylog/collector-sidecar/generated/nxlog.conf

  2. Go to System  Collectors. After a successful sidecar installation, a new collector should appear.

    Graylog sidecar collector configuration, step 1

  3. Click the Create configuration button.

    Graylog sidecar collector configuration, step 2

  4. Apply a tag for the configuration.

    Graylog sidecar collector configuration, step 3

  5. Create a new output of the required type. See the Configuring GELF UDP Collection and Configuring GELF TCP or TCP/TLS Collection sections above.

  6. Create an input for NXLog (for example, a file input).

    Graylog sidecar collector configuration, step 4

  7. Go back to System  Collectors to verify the setup. If everything is fine the collector should be in the Running state.

← Previous: File Integrity Monitoring | ↑ Up: Integration | ⌂ Home: NXLog User Guide | Next: HP ProCurve →