Graylog syslog messages are not seen in librebms

Hi Team,

I am new to the librenms and installed docker image of librenms and able to add the device in to librenms. Now i am planning to add syslog of my device in librenms and integrating graylog with librenms. Devices logs are seen in graylog but those are not imported to librenms. If i create a stream in graylog then it has been reflected in librenms but not the logs for that stream.

Could you please help if I am missing something here ?


Hi,
My experience is that might be a hostname/FQDN problem. You should check what is the source name/ip of the messages in the graylog, it should be same as the hostname in the librenms . The api call use the librenms hostname to identify the device.

Verify if you are receiving any Graylog messages in the Overview->Graylog section, if this is empty you need to troubleshoot your API connection. I found the user I had created in Graylog did not have sufficient permissions.

If you have messages but they are not correctly associated to the device, check the Graylog fields for the messages / logging source IP of the device you are trying to see logs for. In librenms, all the devices I have that go to Graylog and librenms use the IP of the device, versus a DNS name, and the “source” field from Graylog did not always match, but I found another field that was the remote address (gl2_remote_ip) that did match. Your environment may vary, I only need to see syslogs from Graylog in librenms, nothing from our beats input, raw UDP, or other inputs.

Hi
Thanks for the reply. Under overiew → Graylog , there are no logs under there hence it might be API issue. I have used admin user so it doesn’t looks like permission issue. Also i could see all the streams under Graylog section but no logs from any devices

Any suggestion on this field in Librenms while adding graylog ?

Thanks for the reply. Under overiew → Graylog , there are no logs under there itself for any devices

Try to query the graylog API manually to see if you get any errors or results.

curl -X GET -u ‘admin:PW’ -H ‘accept:application/json’ ‘https://hostname/api/search/universal/relative?query=*&range=300

This should show all logs for last five minutes.

For the query api field start with “source” (no quotes).