step by step graylog remote source or client or host configuration

Graylog Remote Source or Client or Host Configuration

Step 1:

Install rsyslog packages

yum install rsyslog

Step 2:

Configure rsyslog using template : open file and add at the bottom

vi /etc/rsyslog.conf

## For FQDN

$PreserveFQDN on

#### RULES ####



# Log all kernel messages to the console.

# Logging much else clutters up the screen.

kern.*                                                 /dev/console



# Log anything (except mail) of level info or higher.

# Don't log private authentication messages!

*.info;mail.none;authpriv.none;cron.none                /var/log/messages



# The authpriv file has restricted access.

authpriv.*                                              /var/log/secure



# Log all the mail messages in one place.

mail.*                                                  -/var/log/maillog





# Log cron stuff

cron.*                                                  /var/log/cron



# Everybody gets emergency messages

*.emerg                                                 :omusrmsg:*



# Save news errors of level crit and higher in a special file.

uucp,news.crit                                          /var/log/spooler



# Save boot messages also to boot.log

local7.*                                                /var/log/boot.log

## Graylog Log Template

$template GRAYLOGRFC5424,"<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %syslogtag%%msg%\n"

#Graylog Server With Port

*.* @172.17.20.100:5555;GRAYLOGRFC5424

Here:

*.*  = all facility

@  = UDP   & @@ = TCP

172.17.20.100 = Graylog Server

5555 = Port

GRAYLOGRFC5424 = Rsyslog Template

               

Step 3:

Restart rsyslog service

systemctl restart rsyslog

systemctl enable rsyslog

Step 4:

Login on Graylog Server and check on Source tab, Look like