Logging Scenario - Send Local Logs to Graylog

Scenario: You want to save gateway/relay logs to Graylog. This guide presents a simple method to send all gateway/relay logs to your Graylog log server using Filebeat as a "sidecar".

As with all gateway/relay logs, the logs stored on the gateway/relay will not include Admin UI activities, which can be accessed via the sdm audit activities command.

Setting up the export

  1. Enable relay logging in the Admin UI under Settings / Log Encryption & Storage. Ensure logging is set to FILE.

  2. Create a standard "Filebeat on Linux" Sidecar/Collector as per the Graylog documentation.

  3. Use the following configuration for your Collector:

    # Needed for Graylog
    fields_under_root: true
    fields.collector_node_id: ${sidecar.nodeName}
    fields.gl2_source_collector: ${sidecar.nodeId}
    - input_type: log
    - /home/ubuntu/.sdm/logs/*.log
    type: log
    hosts: [""]
    data: /var/lib/graylog-sidecar/collectors/filebeat/data
    logs: /var/lib/graylog-sidecar/collectors/filebeat/log
  4. Modify the paths value to use the absolute path to your SDM logs folder.

  5. Modify the hosts value to use the host/IP and port for your Graylog server, so that the Sidecar can push logs to it.

  6. Check your Graylog console and look for messages like this:

    Graylog Console
    Graylog Console

Installation — Previous
Logging Scenario - Send Local Logs to Filebeat
Next — Installation
Logging Scenario - Logging with Rsyslog