I have just setup a Graylog2 server and I am looking to send all logs from my main server to the graylog server. I have enabled logging for the main server and am sending logs to my graylog server by adding *.* @logs.example.com:1337 to /etc/rsyslog.conf.
What I want is to have Graylog2 collect all my Apache logs, system logs (for SSH logins, rejected logins) and any other logs I need to monitor.
For the Apache logs, I would also like the Rails logs. My sites are located in /srv/www/ and then the structure is sitename.com/public_html and sitename.com/logs. I have many sites on the server and I would like an easy way to view all of the errors and make some nice graphs out of them hence why I want to use Graylog2…
The log files in the logs folder are access.log and error.log.
The Rails logs would be in sitename.com/public_html/log. This contains production.log.
Best Answer
This is old, but I thought I would write this method which I use for low/medium traffic site (don't know if it will work well for heavy traffic site):
In Apache, I define a CustomLog format called
graylog2_accesswhich formats the access log into a GELF format and then I send my log through Graylog2 by piping the log data through nc to send GELF messages to Graylog2's input.Here is the custom format that it creates (human readable):
For the Apache config, here is a copy/paste version:
Then in your host configuration: