graylog2: Send logs to Graylog
graylog2(): Sending logs to Graylog
You can use the graylog2()
destination and a Graylog Extended Log Format (GELF) template to send syslog messages to Graylog.
You can forward simple name-value pairs where the name starts with a dot or underscore. If names of your name-value pairs include dots other than the first character, you should use JSON formatting directly instead of the GELF template and send logs to a raw TCP port in Graylog, which can then extract fields from nested JSON. Version 3.21 and later also supports TLS-encrypted connection to the Graylog server.
Declaration:
graylog2();
Example: Using the graylog2() driver
You can send syslog messages to Graylog using the graylog2()
destination. The graylog2()
destination uses the GELF template, the native data format of Graylog.
-
On the Graylog side, configure a GELF TCP input. For more information, see the relevant Graylog documentation.
-
On the AxoSyslog side, configure the name or IP address of the host running Graylog.
destination d_graylog { graylog2( host("172.16.146.142") transport(tcp) ); };
If you parsed your messages using
syslog-n
g, the template also forwards any name-value pairs where the name starts with a dot or underscore.
Sending nested JSON to Graylog
While sending nested JSON inside GELF is possible, it is not convenient. If you use parsing and normalization and dot notation in field names, use pure JSON instead of GELF to forward your messages.
-
On the Graylog side, create a new raw TCP input.
-
Still in Graylog, once the raw TCP input is ready, add a JSON extractor to it.
-
On the AxoSyslog side, use a network destination combined with a template utilizing format-json as shown in the example below:
destination d_jsontcp { network( "172.16.146.142" port("5555") transport(tcp) template("$(format-json --scope all-nv-pairs)\n") ); };