0

I have a graylog syslog server running on debian, running fine. I wanted to send syslogs from our Vmware ESX hosts to Graylog. I point a ESX host to the syslog by doing the following:

I open vSphere Client and selected my host. And then I select configuration... advanced settings, scroll down and expand Syslog and select global. Now under Syslog.global.loghost I put my server info-> udp://ipaddressofgraylog2:514 And I open the firewall for the syslog. Everything works at this end.

I go to my Graylog Server, and I see a ton of data being sent over. I adjust the host syslog output-> vCenter, select a host in the inventory, then the Configuration tab -> Advanced Settings -> Config -> HostAgent -> Log. Set logging level to "Error" (for now).

My problem: I look closer at Graylog "HOSTS":enter image description here

Graylog has 31 hosts listed, but there are really just 7 hosts. The syslog info from the ESX host(s) are not for a better word "tidy". My question is how I can make it "tidy"? If I have 3-4 ESX hosts sending their syslogs like this, parsing the info would be brutal.

Is this a graylog problem? Vmware ESX v5.5 problem?

ANSWER from mrlesmithjr link/script!

# Now we need to modify some things to get rsyslog to forward to graylog. this is useful for ESXi syslog format to be correct.
echo "Updating graylog2.conf and rsyslog.conf"
sed -i -e 's|syslog_listen_port = 514|syslog_listen_port = 10514|' /etc/graylog2.conf
sed -i -e 's|#$ModLoad immark|$ModLoad immark|' /etc/rsyslog.conf
sed -i -e 's|#$ModLoad imudp|$ModLoad imudp|' /etc/rsyslog.conf
sed -i -e 's|#$UDPServerRun 514|$UDPServerRun 514|' /etc/rsyslog.conf
sed -i -e 's|#$ModLoad imtcp|$ModLoad imtcp|' /etc/rsyslog.conf
sed -i -e 's|#$InputTCPServerRun 514|$InputTCPServerRun 514|' /etc/rsyslog.conf
sed -i -e 's|*.*;auth,authpriv.none|#*.*;auth,authpriv.none|' /etc/rsyslog.d/50-default.conf
echo '$template GRAYLOG2,"<%PRI%>1 %timegenerated:::date-rfc3339% %FROMHOST% %syslogtag% - %APP-NAME%: %msg:::drop-last-lf%\n"' | tee /etc/rsyslog.d/32-graylog2.conf
echo '$ActionForwardDefaultTemplate GRAYLOG2' | tee -a  /etc/rsyslog.d/32-graylog2.conf
echo '$PreserveFQDN on' | tee -a  /etc/rsyslog.d/32-graylog2.conf
echo '*.info @localhost:10514' | tee -a  /etc/rsyslog.d/32-graylog2.conf
Logman
  • 445
  • 2
  • 16
  • 28

1 Answers1

1

@Logman. I would recommend you head over to the following site and get graylog2 up and running correctly to clean up your vSphere hosts syslog when importing into graylog2. Stand up a Ubuntu vm and install from scratch.

http://everythingshouldbevirtual.com/ubuntu-12-04-graylog2-installation

mrlesmithjr
  • 151
  • 2
  • This syslog was made for testing, and I did have a couple window servers sending thier logs to it and it was working fine with the Windows servers. My test syslog server was based on that link. – Logman Nov 27 '13 at 12:42
  • How long ago did you use that install link? That is my site and script which makes me think it had been a while seeing as it does not have any pruning. – mrlesmithjr Nov 27 '13 at 21:17
  • 1
    see if there is a /etc/rsyslog.d/32-graylog2.conf file. If not create it or if there is edit it to only contain the following. $template GRAYLOG2,"<%PRI%>1 %timegenerated:::date-rfc3339% %FROMHOST% %syslogtag% - %APP-NAME%: %msg:::drop-last-lf%\n" $ActionForwardDefaultTemplate GRAYLOG2 $PreserveFQDN on *.info @localhost:10514 – mrlesmithjr Nov 27 '13 at 21:20
  • 1
    Then do the following to clean up all old messages and hosts to get a fresh start. cd /opt/elasticsearch/data/graylog2 sudo rm -rf * mongo use graylog2 db.message_counts.remove() db.hosts.remove() exit sudo /etc/init.d/elasticsearch restart sudo /etc/init.d/rsyslog restart – mrlesmithjr Nov 27 '13 at 21:26