Blog

How to add clients to the Graylog system log manager

How to add clients to the Graylog system log manager

Tags:

Graylog makes it easy to send syslog information from clients to the hosting server. Jack Wallen shows you how.

it-physical-security-policy.jpg

Image: Getty Images/iStockphoto

You’ve installed the Graylog system log manager to keep tabs on all of those Linux log files. It’s a great way to monitor various security layers and systems on the Linux servers in your data center. Out of the box, it’s going to do a great job of helping you monitor the logs on the server it’s installed on.

But what about those other servers?

Fortunately, Graylog makes it fairly painless to add remote servers to the list of machines to monitor. I’m going to show you how to do just that.

What you’ll need

  • A Linux server hosting Graylog
  • Some Linux clients to add

SEE: Identity theft protection policy (TechRepublic Premium)

How to configure Graylog to accept incoming syslog entries

We’re going to set up Graylog to accept syslog entries. Log in to your Graylog server and click System/Inputs. From the resulting window, select Syslog UDP from the Select Input drop-down (Figure A).

Figure A

The Graylog Inputs window is where you add new clients.

” data-credit rel=”noopener noreferrer nofollow”>graylogclientsa.jpg

The Graylog Inputs window is where you add new clients.

Click Launch New Input and fill out the following information (Figure B):

Figure B

Filling out the information for the new input.

” data-credit rel=”noopener noreferrer nofollow”>graylogclientsb.jpg

Filling out the information for the new input.

Once you’ve filled out that information, click Save. Now we need to configure our clients.

How to configure your Linux clients to sent syslog information

Now that Graylog is accepting syslog information, we need to configure our clients to send the information. To do that, SSH into a different Linux server (one you want to have send syslog details to Graylog) and create a new rsyslog configuration file with the command: 

sudo nano /etc/rsyslog.d/90-graylog.conf

In that file, paste the following: 

*.* @SERVER:5140;RSYSLOG_SyslogProtocol23Format

Where SERVER is the IP address of your Graylog server.

Save and close the file. Restart rsyslog with the command: 

sudo systemctl restart rsyslog

How to view syslog entries on Graylog

If you go back to your Graylog server and click Search, you should see listings of all syslog entries from the newly-added client. Click one of the entries in the bottom pane and you can view the entry (Figure C).

Figure C

My Kubernetes controller is throwing quite a lot of information to the Graylog server.

” data-credit rel=”noopener noreferrer nofollow”>graylogclientsc.jpg

My Kubernetes controller is throwing quite a lot of information to the Graylog server.

And that’s all there is to adding a client to Graylog. Having syslog information sent to the Graylog server will give you plenty of information for you to start combing through.

Also see

Source of Article