Send logs to Graylog

Graylog is a centralized log management solution providing log analysis, real-time searching, data visualization, and alerting. Two editions are available; Graylog open source includes the core Graylog SIEM and is free to use. Graylog enterprise requires a license and offers additional log analytics and anomaly detection for a complete security platform.

NXLog Agent can forward logs to Graylog over TCP with TLS or UDP. It also has a specialized Graylog Extended Log Format (GELF) module for parsing and formatting GELF logs. You can collect logs with NXLog Agent from diverse log sources, including Windows, Linux, and macOS, and send them directly to the Graylog server. Alternatively, you can use NXLog Agent as a relay, receiving logs from different sources over the network and forwarding them to Graylog from a single instance or an NXLog Agent cluster. NXLog Agent’s advanced log collection, processing, and forwarding capabilities make it the ideal alternative to the Graylog Forwarder.

Configure Graylog to receive logs

These steps assume that you have already installed the Graylog server application. See Installing Graylog in the Graylog documentation for installation and initial configuration instructions.

Graylog accepts logs via message inputs and requires you to configure separate inputs for each protocol and log format combination. For example, a message input can receive GELF logs over TCP or syslog over UDP. The instructions below will guide you through creating and configuring a Graylog input.

  1. Open the Graylog web interface and navigate to System > Inputs.

  2. Choose an input type from the Select input dropdown and click Launch new input. The screenshot below shows GELF TCP selected.

    Graylog select input type
  3. Enter the input parameters in the Launch new input dialog. For example, to create a new GELF TCP input:

    1. Select the Graylog Node where this input should start, or enable the Global option to start it on all nodes.

    2. Enter a friendly name to identify the input in the Title field.

    3. Specify the IP address the input will listen for connections in the Bind address field.

    4. Specify the port number the input will listen on in the Port field.

      Graylog launch new input
    5. Optionally, enable TLS and configure the required settings. See Enable Graylog input TLS below.

  4. Click Save, and you will see the new input on the Inputs page shortly after.

    Graylog GELF TCP input

Enable Graylog input TLS

Certain Graylog input types, such as TCP and HTTP, support data transfer with TLS. To configure Graylog and NXLog Agent with TLS, you need the following:

  • A Certificate Authority (CA) certificate

  • A Graylog server certificate and private key

  • An NXLog Agent client certificate and private key

To configure your Graylog input with TLS:

  1. Open the Graylog web interface and navigate to System > Inputs.

  2. Select More actions > Edit input next to the relevant input.

  3. Enter the path to the Graylog server certificate in the TLS cert file field.

  4. Enter the path to the Graylog server private key in the TLS private key file field.

  5. Check the Enable TLS option.

  6. If your private key is password-protected, enter the password in the TLS key password field.

  7. Select required for TLS client authentication.

  8. Enter the path to the CA, or NXLog Agent client certificate in the TLS Client Auth Trusted Certs field.

    The graylog-server service user, graylog by default, must be able to access the specified certificates.
    Graylog input TLS

Configure NXLog Agent to send logs to Graylog

The following NXLog Agent configuration examples demonstrate how to send logs to Graylog in GELF over UDP and TCP with TLS.

Example 1. Sending Windows logs to Graylog over UDP

This configuration uses the im_etw input module to collect Microsoft Windows DNS client logs via ETW. It then forwards the logs to Graylog using the om_udp output module. The OutputType directive specifies the GELF_UDP output writer function provided by the xm_gelf module.

The Graylog server must have a GELF_UDP input configured and running to accept the logs from NXLog Agent. See Configure Graylog to receive logs above for more information.

nxlog.conf
<Extension gelf>
    Module        xm_gelf
</Extension>

<Input dns_client_logs>
    Module        im_etw
    Provider      Microsoft-Windows-DNS-Client
</Input>

<Output graylog_udp>
    Module        om_udp
    Host          192.168.43.29:12201
    OutputType    GELF_UDP
</Output>
Example 2. Sending systemd logs to Graylog using TLS/SSL

This configuration uses the im_systemd input module to collect Linux systemd logs. It then forwards the logs to Graylog securely using the om_ssl output module. The OutputType directive specifies the GELF_TCP output writer function provided by the xm_gelf module.

The Graylog server must have a GELF_TCP input configured with TLS and running to accept the logs from NXLog Agent. See Configure Graylog to receive logs above for more information.

nxlog.conf
<Extension gelf>
    Module         xm_gelf
</Extension>

<Input systemd_logs>
    Module         im_systemd
</Input>

<Output graylog_ssl>
    Module         om_ssl
    Host           192.168.43.29:10500
    OutputType     GELF_TCP

    CertFile       /opt/nxlog/cert/nxlog.crt (1)
    CertKeyFile    /opt/nxlog/cert/nxlog.key (2)
    KeyPass        secret (3)
    CAFile         /opt/nxlog/cert/rootCA.pem (4)
</Output>
1 The CertFile directive specifies the path to the NXLog Agent client certificate.
2 The CertKeyFile directive specifies the path to the NXLog Agent private key.
3 The KeyPass directive specifies the password for password-protected private keys.
4 The CAFile directive specifies the path to the Certificate Authority (CA) certificate that will be used to verify the Graylog server certificate.

Manage NXLog Agent from a Graylog Sidecar

Graylog Sidecar is a lightweight configuration management system that enables you to manage multiple NXLog Agent instances from the Graylog web interface.

To manage NXLog Agent from a Sidecar, you must first configure a collector from the Graylog web interface:

  1. Navigate to System > Sidecars and click the Configuration button.

  2. Click the Edit button next to the type of NXLog Agent collector you would like to configure, i.e., Linux or Windows.

  3. Provide the collector settings and click the Update button. The table below contains the settings for default NXLog Agent installations on Windows and Linux.

    Table 1. Graylog Log Collector settings
    Parameter name Microsoft Windows Linux

    Executable Path

    C:\Program Files\nxlog\nxlog.exe

    /opt/nxlog/bin/nxlog

    Execute Parameters

    -c "%s"

    -f -q -c %s

    Parameters for Configuration Validation

    -v -f -c "%s"

    -v -c %s

Next, create the collector configuration:

  1. While on the Log Collector page, click the Configuration button.

  2. Click the Create Configuration in the Configurations section.

  3. Specify a name for the configuration, select the previously configured collector from the Collector dropdown, and enter the NXLog Agent configuration. The configuration you specify here will override the collector’s default configuration. See the configuration example below.

  4. Click Create to create the configuration.

You can now install and configure Graylog Sidecar:

  1. Navigate to System > Sidecars and click the Create or reuse a token for the <graylog-sidecar> user link under Sidecars Overview.

  2. Enter a Token Name and click Create Token. Take note of the new token; you will need it in the following steps.

  3. Install Graylog Sidecar on each NXLog Agent machine. See the Graylog Sidecar documentation for installation instructions and use the token from the previous step when directed to update the server_api_token parameter in the sidecar.yml configuration file. See Sidecar Configuration in the Graylog documentation for more configuration options.

  4. Follow the collector installation instructions in the Graylog documentation to install and disable NXLog Agent.

Finally, bind the sidecar to an NXLog Agent configuration from the Graylog web interface:

  1. Navigate to System > Sidecars.

  2. Click the Manage sidecar button next to the relevant sidecar.

  3. Select the collector you want to associate with this sidecar and click Configuration.

  4. Select the configuration to assign to the collector, review the Configuration summary and click Confirm to apply the settings.

    Graylog Sidecar collector configuration
Example 3. NXLog Agent configuration for Graylog Sidecar

This configuration uses the im_file input module to collect Linux system logs. It then forwards the logs to Graylog using the om_udp output module. The OutputType directive specifies the GELF_UDP output writer function provided by the xm_gelf module.

The Graylog Sidecar must be associated with a GELF_UDP input to accept the logs from NXLog Agent. See the Sidecar configuration instructions above for more information.

nxlog.conf
Panic Soft

define INSTALLDIR /opt/nxlog
define CERTDIR %INSTALLDIR%/cert
define CONFDIR %INSTALLDIR%/etc/nxlog.d
define LOGDIR %INSTALLDIR%/var/log/nxlog
define MYLOGFILE %LOGDIR%/nxlog.log

LogLevel    INFO
LogFile     %MYLOGFILE%

<Extension syslog>
    Module        xm_syslog
</Extension>

<Extension gelf>
    Module        xm_gelf
</Extension>

<Input file>
    Module        im_file
    File          '/var/log/syslog'
    <Exec>
        parse_syslog(); (1)

        # These fields are needed for Graylog (2)
        $gl2_source_collector = '${sidecar.nodeId}';
        $collector_node_id = '${sidecar.nodeName}';
    </Exec>
</Input>

<Output graylog_udp>
    Module        om_udp
    Host          192.168.43.29:12201 (3)
    OutputType    GELF_UDP
</Output>

<Route 1>
    Path          file => graylog_udp
</Route>
1 Parses log records into structured data using the parse_syslog() procedure of the xm_syslog module.
2 Adds two fields required by Graylog to associate log records with the sidecar. The value for both fields is a runtime variable that will be replaced with an actual sidecar ID and name. See Using configuration variables in the Graylog documentation for more information.
3 Forwards logs to a Graylog input listening on this IP and port.

Verifying data with Graylog search

You can verify the reception of logs from the Graylog web interface. Navigate to System > Inputs and click the Show received messages button next to the relevant input.

Graylog input status

You will be taken to the Search page with a filter for logs received by the chosen input.

Graylog received logs

Click on a message to view the log details.

Graylog received log detail

You can export logs to CSV, JSON, NDJSON (newline-delimited JSON), or plain text by expanding the actions dropdown and selecting Export.

Export logs from Graylog

Choose the export format and fields, enter an optional message limit, and click Start Download.

Graylog log export options
Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

The accurateness of the content was tested and proved to be working in our lab environment at the time of the last revision with the following software versions:

NXLog Agent version 5.6.7727
Graylog 4.3.8
Graylog Sidecar 1.2.0

Last revision: 21 October 2022