Skip to content

Graylog

Your content here

Graylog Server repository

rsyslog configuration for 2 servers sudo nano /etc/rsyslog.conf 

# start forwarding rule 1
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd1 # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
*.* @10.0.5.112:1514
# end forwarding rule 1

# start forwarding rule 2
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd2 # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down
*.* @10.0.0.59:514
# end forwarding rule 2

restart rsyslog

sudo systemctl status rsyslog.service
sudo systemctl status rsyslog.service

send test log event

echo -n '{ "version": "1.1", "host": "pfsense.homelab.lan", "short_message": "A short message", "level": 5, "_some_info": "foo" }' | nc -w0 -u 10.0.5.112 15555

Maintenance

clear all messages

curl -XDELETE 'http://localhost:9200/*'

red

  • Find UNASSIGNED shards : delete
curl -XGET 'http://localhost:9200/_cat/shards?v'

delete

curl -XDELETE http://localhost:9200/itarmy-swarm_2

check below

curl -XPOST 'http://localhost:9200/_cluster/reroute' -H 'Content-Type: application/json' -d '{
  "commands": [
    {
      "allocate_stale_primary": {
        "index": "itarmy-swarm_2",
        "shard": 0,
        "node": "e5170931ff71",
        "accept_data_loss": true
      }
    }
  ]
}'