Graylog, rsyslog and RELP

Issues related to applications and software problems
Post Reply
jbailey
Posts: 12
Joined: 2015/10/05 15:12:40

Graylog, rsyslog and RELP

Post by jbailey » 2019/06/27 17:59:25

So I have a bunch of CentOS 7 servers whose rsyslog configurations instruct each to forward their logs to a central syslog server -- a CentOS 7 box running Graylog. It works fairly well, but I must admit I'm interested in Graylog's RELP logging protocol that promises more reliable logging. The problem is, Graylog doesn't support RELP as an input.

With that in mind, I thought perhaps the rsyslog instance on the graylog server could act as an intermediary, effectively receiving RELP from the other servers and then forwarding that into Graylog as standard syslog messaging. Configuring all of the rsyslog instances on all of the CentOS servers to send logs via RELP (omrelp) is pretty straight forward.

What I'm not sure about is what I would need to to with the rsyslog instance on the Graylog server. I need it to continue to receive messages generated by the local system for inclusion into Graylog, but I also need it to receive messages from these other systems -- all while keeping the proper source field intact for each message. In other words, if rsyslog receives messages generated locally, the logging source needs to match the server's fqdn, but if the received message was generated by a remote system, then the source should reflect the fqdn of the remote system that sent it.

Graylog is running on a higher, non-privileged port. External syslog traffic is being redirected to this port by a iptables nat rule (e.g. 514 -> 5140 for example) so that it bypasses rsyslog and is ingested directly into Graylog. My thought was to have rsyslog listen on an arbitrary port (say, 10514) for imrelp traffic and then forward that to Graylog on 5140. I don't want to break rsyslog's local configuration (journald, localhost, etc) either, however.

Any rsyslog gurus out there who could explain to me how to make this work?

Post Reply