GELF forwarding in rsyslog¶
Written by Florian Riedl
Situation¶
The current setup has a system with rsyslog as the central syslog server and a system with Graylog for storage and analyzing the log messages. Graylog expects the log messages to arrive in GELF (Graylog Extended Log Format).
Changing the default log format to GELF¶
To make rsyslog send GELF we basically need to create a custom template. This template will define the format in which the log messages will get sent to Graylog.
template(name="gelf" type="list") {
constant(value="{\"version\":\"1.1\",")
constant(value="\"host\":\"")
property(name="hostname")
constant(value="\",\"short_message\":\"")
property(name="msg" format="json")
constant(value="\",\"timestamp\":\"")
property(name="timegenerated" dateformat="unixtimestamp")
constant(value="\",\"level\":\"")
property(name="syslogseverity")
constant(value="\"}")
}
This is a typical representation in the list format with all the necessary fields and format definitions that Graylog expects.
Applying the template to a syslog action¶
The next step is applying the template to our output action. Since we are forwarding log messages to Graylog, this is usually a syslog sending action.
# syslog forwarder via UDP
action(type="omfwd" target="graylogserver" port="514" protocol="udp" template="gelf")
We now have a syslog forwarding action. This uses the omfwd module. Please note that the case above only works for UDP transport. When using TCP, Graylog expects a Nullbyte as message delimiter. This is currently not possible with rsyslog.
Conclusion¶
With this quick and easy setup you can feed Graylog with the correct log message format so it can do its work. This case can be applied to a lot of different scenarios as well, but with different templates.
This documentation is part of the rsyslog project.
See also
Help with configuring/using Rsyslog
:
- Mailing list - best route for general questions
- GitHub: rsyslog source project - detailed questions, reporting issues
that are believed to be bugs with
Rsyslog
- Stack Exchange (View, Ask) - experimental support from rsyslog community
See also
Contributing to Rsyslog
:
- Source project: rsyslog project README.
- Documentation: rsyslog-doc project README