Graylog: Sending rsyslog logs to Graylog with TLS encryption

This documentation is part of the Getting started guide. You can view the complete guide here: How to get started with Graylog.

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customisable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

If you have an rsyslog client and wish to send your logs securely to Graylog, follow these steps:

Do not enable any TLS option on the Graylog input. TLS will be handled directly by a reverse proxy on your instance, so Graylog itself will not manage it.

  1. Go to your Graylog service configuration in the Stackhero dashboard and enable "TLS encryption" for the Syslog TCP port 514.

  2. Update your rsyslog configuration as shown below. Replace <XXXXXX>.stackhero-network.com with your instance hostname:

    # Define TLS CA certificate
    global(
      DefaultNetstreamDriver="gtls"
      DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt"
    )
    
    # Send all logs to a remote server
    # An on-disk queue is created for this action. If the remote host is
    # unavailable, messages are spooled to disk and sent once it becomes available again
    # See https://www.rsyslog.com/doc/v8-stable/configuration/actions.html
    # and https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
    *.* action(
      type="omfwd"
      target="<XXXXXX>.stackhero-network.com"
      port="514"
      protocol="tcp"
      KeepAlive="on"
      KeepAlive.Interval="30"
      StreamDriver="gtls"
      StreamDriverMode="1"
      StreamDriverAuthMode="x509/name"
      ResendLastMSGOnReconnect="on"
      queue.filename="fwdRule1"  # unique prefix for spool files
      queue.type="LinkedList"
      queue.maxDiskSpace="256m"
      queue.saveOnShutdown="on"
      action.resumeRetryCount="-1"
      action.resumeInterval="30"
    )
    
  3. Restart your rsyslog service and check the configuration by sending a log with the following command:

    logger This is a test
    

The setup is now complete. You are now sending your logs securely to Graylog via TLS!