Graylog: Send rsyslog logs to Graylog using TLS encryption

This documentation is part of the Getting started guide. View the full guide here: How to get started with Graylog.

👋 Welcome to the Stackhero documentation!

Stackhero offers a ready-to-use Graylog cloud solution that provides a host of benefits, including:

  • Unlimited and dedicated SMTP email server included.
  • Effortless updates with just a click.
  • Customizable domain name secured with HTTPS (for example, https://logs.your-company.com).
  • Optimal performance and robust security powered by a private and dedicated VM.

Save time and simplify your life: it only takes 5 minutes to try Stackhero's Graylog cloud hosting solution!

If you have an rsyslog client and want to send logs securely to Graylog, follow these steps:

Do not activate any TLS option on Graylog's input. TLS will be managed directly by a reverse proxy on your instance so that Graylog does not handle it.

  1. Go to your Graylog service configuration in the Stackhero dashboard and enable "TLS encryption" for the Syslog TCP port 514.

  2. Update your rsyslog configuration as outlined below. Replace <XXXXXX>.stackhero-network.com with your instance hostname:

    # Define TLS CA certificate
    global(
      DefaultNetstreamDriver="gtls"
      DefaultNetstreamDriverCAFile="/etc/ssl/certs/ca-certificates.crt"
    )
    
    # Send all logs to a remote server
    # An on-disk queue is created for this action. If the remote host is
    # down, messages are spooled to disk and sent when it becomes available again
    # See https://www.rsyslog.com/doc/v8-stable/configuration/actions.html
    # and https://www.rsyslog.com/doc/v8-stable/configuration/modules/omfwd.html
    *.* action(
      type="omfwd"
      target="<XXXXXX>.stackhero-network.com"
      port="514"
      protocol="tcp"
      KeepAlive="on"
      KeepAlive.Interval="30"
      StreamDriver="gtls"
      StreamDriverMode="1"
      StreamDriverAuthMode="x509/name"
      ResendLastMSGOnReconnect="on"
      queue.filename="fwdRule1"  # unique name prefix for spool files
      queue.type="LinkedList"
      queue.maxDiskSpace="256m"
      queue.saveOnShutdown="on"
      action.resumeRetryCount="-1"
      action.resumeInterval="30"
    )
    
  3. Restart your rsyslog service and verify the configuration by sending a log using the command:

    logger This is a test
    

This completes the setup. You are now securely sending logs to Graylog using TLS encryption!