Differences

This shows you the differences between two versions of the page.

--- computing:linux:graylog [2021/07/28 14:04]
gcooper created
+++ computing:linux:graylog [2022/01/18 11:05] (current)
gcooper
@@ Line 1: / Line 1: @@
 ====== Syslog with Graylog ======
-FIXME Unfinished
 **Excellent Documentation**: https://docs.graylog.org/en/4.1/index.html
@@ Line 9: / Line 7: @@
 **Install Graylog OSS on Ubuntu**: https://www.itzgeek.com/how-tos/linux/ubuntu-how-tos/how-to-install-graylog-on-ubuntu-20-04.html
-**Getting Started**: http://123.123.123.123:9000/gettingstarted
+**Getting Started**: https://docs.stackhero.io/en/Graylog
 **Getting Started Docs**: https://docs.graylog.org/en/4.1/pages/getting_started.html
+https://docs.graylog.org/en/3.1/pages/faq.html#how-can-i-start-an-input-on-a-port-below-1024
+https://github.com/Graylog2/graylog-guide-syslog-linux
 {{ :computing:linux:graylog_simple.png?direct&350|Simple Graylog Server}}
@@ Line 26: / Line 28: @@
 **Archived data is stored in a compressed format on the Graylog server** or network file share. It is searchable via GREP, but must be reconstituted in Graylog in order to be searchable through the GUI again.
+===== Upgrade =====
+We use ''apt'' repositories for installation, so updates are easy:
+Show all ''apt'' sources:
+<file>
+grep -r --include '*.list' '^deb ' /etc/apt/sources.list*
+</file>
+<file>
+apt update && apt dist-upgrade -y && apt autoremove -y && apt clean && reboot
+</file>
 ===== Configuration =====
@@ Line 35: / Line 51: @@
 ==== Syslog Input ====
-The first step to accept input is to create an ''Input'', probably syslog UDP and TCP.
+The first step to accept input is to create an ''Input'' (listener), perhaps "Syslog UDP".
-To accept input data on ports below 1024, we must either run Graylog as ''root'' or use redirection to a higher port.
+It is recommended to configure the syslog ''Input'' to accept traffic on **UDP port 1514** and redirect traffic sent to UDP 514 to it.
-It is recommended to configure the syslog ''Input'' to accept traffic on UDP port 1514 and redirect traffic sent to UDP 514 to it.
+<file>
+iptables -t nat -A PREROUTING -p tcp --dport 514 -j REDIRECT --to 1514
+iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to 1514
+</file>
 <note>We use Webmin and CSF with LFD for all firewalls.  Even though this Graylog server is probably an internal host, we also use it here.
@@ Line 45: / Line 64: @@
 See also **[[networking:firewall:csf|https://virtualarchitects.com/wiki/doku.php?id=networking:firewall:csf]]**</note>
+==== Create Index ====
+Indexes are how data is stored and rotated.
+==== Create Stream ====
+Stream Rules route or sort messages into indexes.
+===== Log Sources =====
+==== Send Linux Syslog ====
+https://github.com/Graylog2/graylog-guide-syslog-linux/

Virtual Architects Support Wiki

User Tools

Site Tools

Differences

Page Tools