GrayLog Input

As per my previour post https://www.balajibandi.com/?p=1940

Graylog Enterprise and Security do not allow to create input UDP 514 as default to accepts the logs.

This will cause issues for legacy systems that do not have the option to use transport and change the UDP port to custom ports, for example, 1514.

This will be a big challenge if you have an older system in production and still like to send logs to the default port, UDP/514.

We can not have another Logging server to accept the logs and send them to Graylog; that would be another financial burden and require maintenance.

Since I am using NGIX as a Load balancer (LB), this can also be done using other LB products like F5, Citrix, KEMP, and so on.

Referring to my old post, a small change was added to LB for Graylog Enterprise.

In the above diagram, I referred to LB as NGIX (it has both free and paid versions), but I am using the Free version since I need just an LB to use Graylog GUI and send stream Logs to Graylog.

NGIX have module called stream.

You send all the Logs to NGIX LB and NGIX in turn send all the logs to custom port example, UPD/1514

Below is an example : (file location to be in /etc/nix/stream.conf.d/stream.conf) – make sure you restart NGIX to take effect.

stream {
upstream graylog {
server graylog1.example.com:1514 max_fails=1 fail_timeout=10s;
server graylog2.example.com:1514 max_fails=1 fail_timeout=10s;
server graylog3.example.com:1514 max_fails=1 fail_timeout=10s;
}

    server {
            listen 514 udp;
            listen 1514 udp;
            proxy_pass graylog;
            proxy_timeout 1s;
            proxy_bind $remote_addr
            error_log /var/log/nginx/graylog_error.log;
    }

}

All your devices will send Logs to NGIX LB IP, and NGIX will rewrite to port UDP/1514 to send logs to Graylog.

Happy Labbinggggggggggggggggg….!