Graylog: Getting started

How to get started with Graylog

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customizable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

Creating your first input in Graylog

An input is the entry point where Graylog receives your logs. You can send logs via TCP or UDP. Additionally, Graylog can collect log entries from an API, a Kafka queue, a RabbitMQ server, and other sources.

In this example, we will create a raw UDP input. To start, open the Graylog interface and go to "System" then "Inputs". Select "Raw/Plaintext UDP" and click on "Launch new input". Configure your input with the following values and submit the form:

  1. Node: Select your node
  2. Title: RAW UDP
  3. Port: 5555

Next, open a terminal on your computer and send a UDP message to your Graylog server. Make sure to replace XXXXXX with your service domain name:

  • On macOS: echo "Hello Graylog from UDP" | nc -u -w1 -c <XXXXXX>.stackhero-network.com 5555
  • On Linux: echo "Hello Graylog from UDP" | nc -u -w1 <XXXXXX>.stackhero-network.com 5555

After sending the message, return to Graylog and click on "Search". You should see your message 🎉

Congratulations, you have just sent your first message to Graylog! Feel free to create additional inputs and dashboards tailored to your needs. For further information, you may find Graylog's official documentation helpful.

Graylog code examples

Several code examples are available in our Git repository. This repository provides practical implementations and additional customizations to help you get the most out of Graylog.

Sending rsyslog logs to Graylog with TLS encryption

If you have an rsyslog client and want to send your logs securely to Graylog, follow these steps:

Do not enable any TLS option on Graylog's input. TLS will be handled directly by a reverse proxy on your instance, so Graylog does not manage it.

  1. Go to your Graylog service configuration in the Stackhero dashboard and enable "TLS encryption" for the Syslog TCP port 514.

  2. Update your rsyslog configuration as shown below. Replace <XXXXXX>.stackhero-network.com with your instance hostname:

    # Define TLS CA certificate
global(
  DefaultNetstreamDriver="gtls"
  DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt"
)

# Send all logs to a remote server
# An on-disk queue is created for this action. If the remote host is
# unavailable, messages are spooled to disk and sent when it becomes available again
# See https://www.rsyslog.com/doc/v8-stable/configuration/actions.html
# and https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
*.* action(
  type="omfwd"
  target="<XXXXXX>.stackhero-network.com"
  port="514"
  protocol="tcp"
  KeepAlive="on"
  KeepAlive.Interval="30"
  StreamDriver="gtls"
  StreamDriverMode="1"
  StreamDriverAuthMode="x509/name"
  ResendLastMSGOnReconnect="on"
  queue.filename="fwdRule1"  # unique name prefix for spool files
  queue.type="LinkedList"
  queue.maxDiskSpace="256m"
  queue.saveOnShutdown="on"
  action.resumeRetryCount="-1"
  action.resumeInterval="30"
)

  3. Restart your rsyslog service and verify the configuration by sending a log with the following command:

    logger This is a test

The setup is now complete. You are now sending your logs securely to Graylog using TLS encryption!

Handling the error "failed to parse field [XXXX] of type [YYYY]"

You may encounter an error such as:

org.opensearch.index.mapper.MapperParsingException: failed to parse field [time] of type [long] in document with id 'xxxx'

You can view this error in the logs available in the Stackhero dashboard or in the Graylog admin panel under System > Overview > Indexer failures.

This error means that a log was sent with a value for the time field that does not match the expected type (in this case, a numeric value of type "long"). Graylog relies on the dynamic mapping feature of OpenSearch. When a log is sent for the first time, OpenSearch tries to guess the field types. For example, if a log contains the field time with the numeric value 1234, OpenSearch defines it as a numeric field. If another log is sent with the field time set to "abcd", a string, OpenSearch will reject it because it expects a numeric value.

Keep in mind that the field name time is just an example. This can apply to any field name and type.

To resolve this issue, you need to redefine the type that OpenSearch expects. For more information, please refer to the official Graylog documentation.

Update the OpenSearch mapping

Before proceeding, enable OpenSearch access in the Stackhero dashboard. Go to your Graylog service and click the "Configure" button to activate OpenSearch access.

Be careful with these changes, as incorrect configurations can block your OpenSearch cluster and lead to data loss. If you are unsure, do not proceed.

  1. Define your new mapping. In this example, we redefine the time field as a string type. You can find the available types in the OpenSearch field datatypes documentation.

  2. Save the following content to a file named graylog-custom-mapping.json:

    {
  "template": "graylog_*",
  "mappings": {
    "message": {
      "properties": {
        "time": {
          "type": "string",
          "index": "not_analyzed"
        }
      }
    }
  }
}

  3. Upload this file using the following curl command (replace <XXXXXX>.stackhero-network.com with your instance domain name):

    curl -u 'admin' -X PUT -d @'graylog-custom-mapping.json' -H 'Content-Type: application/json' 'https://<XXXXXX>.stackhero-network.com/opensearch/_template/graylog-custom-mapping?pretty'

    You should receive a response like:

    {
  "acknowledged": true
}

  4. Finally, verify that the mapping has been updated with this command (replace the domain as needed):

    curl -u 'admin' -X GET 'https://<XXXXXX>.stackhero-network.com/opensearch/graylog_deflector/_mapping?pretty'

Handling the error "Unable to write audit log entry"

If you see an error such as:

Unable to write audit log entry because there is no valid license

or

Not running cleanup for auditlog entries in MongoDB because there is no valid license

this means that Graylog Enterprise has been enabled without a valid licence. If you have a licence, you can enter it in the Graylog interface. If you do not have a licence, simply disable Graylog Enterprise in the Stackhero dashboard.

Other articles for Graylog

  1. Introduction
    Introduction to Graylog, everything you need to know about it
  2. Choose input types
    How to choose the right Graylog input type
  3. Configure inputs
    How to configure Graylog inputs
  4. Manage retention
    How to configure log retention
  5. Alerting
    How to send Graylog alerts by email, Slack, or Mattermost
  6. Enterprise licence
    How to manage your Graylog Enterprise licence
  7. Data mapping issues
    How to resolve Graylog index data mapping problems
  8. Using with Node.js
    How to send logs from Node.js to Graylog
  9. Using with Dot NET
    How to send logs from .NET/Serilog to Graylog
  10. Using with Python
    How to send logs from Python to Graylog