1source: Extensions/Graylog.md 2path: blob/master/doc/ 3 4# Graylog integration 5 6We have simple integration for Graylog, you will be able to view any 7logs from within LibreNMS that have been parsed by the syslog input 8from within Graylog itself. This includes logs from devices which 9aren't in LibreNMS still, you can also see logs for a specific device 10under the logs section for the device. 11 12Currently, LibreNMS does not associate shortnames from Graylog with 13full FQDNS. If you have your devices in LibreNMS using full FQDNs, 14such as hostname.example.com, be aware that rsyslogd, by default, 15sends the shortname only. To fix this, add 16 17`$PreserveFQDN on` 18 19to your rsyslog config to send the full FQDN so device logs will be 20associated correctly in LibreNMS. Also see near the bottom of this 21document for tips on how to enable/suppress the domain part of 22hostnames in syslog-messages for some platforms. 23 24Graylog itself isn't included within LibreNMS, you will need to 25install this separately either on the same infrastructure as LibreNMS 26or as a totally standalone appliance. 27 28Config is simple, here's an example based on Graylog 2.4: 29 30```php 31$config['graylog']['server'] = 'http://127.0.0.1'; 32$config['graylog']['port'] = 9000; 33$config['graylog']['username'] = 'admin'; 34$config['graylog']['password'] = 'admin'; 35$config['graylog']['version'] = '2.4'; 36``` 37 38## Timezone 39Graylog messages are stored using GMT timezone. You can display 40graylog messages in LibreNMS webui using your desired timezone by 41setting the following option in config.php: 42 43```php 44$config['graylog']['timezone'] = 'Europe/Bucharest'; 45``` 46 47Timezone must be PHP supported timezones, available at: 48<https://php.net/manual/en/timezones.php> 49 50## Graylog Version 51If you are running a version earlier than Graylog then please set 52```php 53$config['graylog']['version'] 54``` 55to the version number of your Graylog 56install. Earlier versions than 2.1 use the default port `12900` 57 58## URI 59If you have altered the default uri for your Graylog setup then you 60can override the default of `/api/` using 61```php 62$config['graylog']['base_uri'] = '/somepath/'; 63``` 64 65## User Credentials 66If you choose to use another user besides the admin user, please note 67that currently you must give the user "admin" permissions from within 68Graylog, "read" permissions alone are not sufficient. 69 70## TLS Certificate 71If you have enabled TLS for the Graylog API and you are using a 72self-signed certificate, please make sure that the certificate is 73trusted by your LibreNMS host, otherwise the connection will 74fail. Additionally, the certificate's Common Name (CN) has to match 75the FQDN or IP address specified in 76```php 77$config['graylog']['server'] 78``` 79 80## Match Any Address 81If you want to match the source address of the log entries against any 82IP address of a device instead of only against the primary address and 83the host name to assign the log entries to a device, you can activate 84this function using 85 86```php 87$config['graylog']['match-any-address'] = 'true'; 88``` 89 90## Recent Devices 91There are 2 configuration parameters to influence the behaviour of the 92"Recent Graylog" table on the overview page of the 93devices. 94 95```php 96$config['graylog']['device-page']['rowCount'] 97``` 98 99Sets the maximum number of rows to be displayed (default: 10) 100 101 102 103 104```php 105$config['graylog']['device-page']['loglevel'] 106``` 107 108You can set which loglevels that should be displayed on the overview page. (default: 7, min: 1090, max: 7) 110 111```php 112$config['graylog']['device-page']['loglevel'] = 4 113``` 114Shows only entries with a log level less than or equal to 4 (Emergency, 115Alert, Critical, Error, Warning). 116 117You can set a default Log Level Filter with 118```php 119$config['graylog']['loglevel'] 120``` 121 (applies to /graylog and /device/device=/tab=logs/section=graylog/ (min: 0, max: 7) 122 123# Suppressing/enabling the domain part of a hostname for specific platforms 124 125You should see if what you get in syslog/Graylog matches up with your 126configured hosts first. If you need to modify the syslog messages from 127specific platforms, this may be of assistance: 128 129## IOS (Cisco) 130 131``` 132router(config)# logging origin-id hostname 133``` 134 135or 136 137``` 138router(config)# logging origin-id string 139``` 140 141## JunOS (Juniper Networks) 142 143``` 144set system syslog host yourlogserver.corp log-prefix YOUR_PREFERRED_STRING 145``` 146 147## PanOS (Palo Alto Networks) 148 149``` 150set deviceconfig setting management hostname-type-in-syslog hostname 151``` 152 153or 154 155``` 156set deviceconfig setting management hostname-type-in-syslog FQDN 157``` 158 159 160