After setting up your Graylog2 server, the first step is to configure rsyslog on your main server to forward logs. Edit /etc/rsyslog.conf:
# Enable UDP forwarding
*.* @logs.example.com:1337
# For TCP connection (more reliable)
*.* @@logs.example.com:1337
# Enable the imfile module for file monitoring
module(load="imfile")
# Restart rsyslog after changes
systemctl restart rsyslog
To capture Apache logs from multiple sites in /srv/www/ structure:
# Apache access logs
input(type="imfile"
File="/srv/www/*/logs/access.log"
Tag="apache-access"
Severity="info"
Facility="local7")
# Apache error logs
input(type="imfile"
File="/srv/www/*/logs/error.log"
Tag="apache-error"
Severity="error"
Facility="local7")
For Rails applications in public_html/log/production.log:
input(type="imfile"
File="/srv/www/*/public_html/log/production.log"
Tag="rails-production"
Severity="info"
Facility="local6")
To monitor SSH and authentication logs:
# Auth logs
input(type="imfile"
File="/var/log/auth.log"
Tag="auth-log"
Severity="info")
# SSH specific logs
input(type="imfile"
File="/var/log/secure"
Tag="ssh-log"
Severity="info")
On your Graylog2 server, create a GELF UDP input:
- Go to System → Inputs
- Select "GELF UDP"
- Set port to 1337 (or your chosen port)
- Check "Bind to all interfaces"
For custom log parsing in Graylog:
extractors:
- type: grok
name: APACHE_LOG
condition: "fields.tags == 'apache-access'"
pattern: "%{COMBINEDAPACHELOG}"
For high-volume logging:
- Use TCP instead of UDP for reliable delivery
- Consider using filebeat or fluentd for better performance
- Rotate logs regularly to prevent disk space issues
Create dashboards for:
# Example search query for HTTP 500 errors
http_response_code:500
# SSH failed attempts
tags:ssh-log AND "Failed password"
To forward system logs (including SSH and authentication logs) to Graylog2, edit your /etc/rsyslog.conf:
# Enable UDP forwarding
*.* @logs.example.com:1337
# For TCP (more reliable but slightly slower)
#*.* @@logs.example.com:1337
# Enable module if not already loaded
module(load="imudp")
input(type="imudp" port="514")
# Restart rsyslog after changes
systemctl restart rsyslog
For Apache logs, Filebeat is more efficient than syslog. Create /etc/filebeat/filebeat.yml:
filebeat.inputs:
- type: log
enabled: true
paths:
- /srv/www/*/logs/access.log
- /srv/www/*/logs/error.log
fields:
type: apache
output.logstash:
hosts: ["graylog.example.com:5044"]
For Rails logs in public_html/log/production.log, extend your Filebeat configuration:
- type: log
enabled: true
paths:
- /srv/www/*/public_html/log/production.log
fields:
type: rails
multiline.pattern: '^[[:space:]]'
multiline.negate: false
multiline.match: after
On your Graylog server, create these inputs:
1. Syslog UDP input (Port 1337)
2. Beats input (Port 5044)
For Apache logs, create these extractors in Graylog:
1. Grok pattern for Apache combined format:
%{IPORHOST:clientip} %{USER:ident} %{USER:auth} $$%{HTTPDATE:timestamp}$$ "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:response} (?:%{NUMBER:bytes}|-) "(?:%{URI:referrer}|-)" "%{DATA:agent}"
2. For Rails logs:
%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} -- : %{GREEDYDATA:message}
Add this to /etc/logrotate.d/apache to ensure proper log rotation:
/srv/www/*/logs/*.log {
daily
missingok
rotate 14
compress
delaycompress
notifempty
sharedscripts
postrotate
systemctl reload apache2
endscript
}
Check log forwarding with these commands:
# Verify syslog forwarding
logger "Test syslog message"
grep "Test syslog message" /var/log/syslog
# Verify Filebeat
filebeat test output
journalctl -u filebeat -f
If logs aren't appearing in Graylog:
1. Check firewall rules:
sudo ufw status
sudo ufw allow 1337/udp
sudo ufw allow 5044/tcp
2. Verify Graylog inputs are running:
curl -XGET http://graylog.example.com:9000/api/system/inputs
3. Check Filebeat logs:
journalctl -u filebeat -n 50 -f