I'm just setting up graylog2 (which is awesome) to be a syslog server for my virtualised environment. All my hosts and switches are happily logging away to graylog2, which is drawing some pretty graphs. So far, so good.
However, when it comes to fowarding the logs from my vSphere 5.0 hosts, I'm running into some issues. I configure the global syslog setting to have a remote host of udp://loghost:514
and I go to the graylog console to see what messages come in. For some reason, graylog2 logs the log severity in the 'host' column:
The screenshot shows some localhost
log entries which are correct, and above that some vSphere host entries which obviously are not. All the vsphere entries come in as facility local4
and with a severity of Informational
.
The only other time where I had an issue with this was from my Cisco 3750 switch, where I had to explicitly set the syslog forwarding format to syslog
, otherwise I'd get all sorts of strange entries in the 'host' column.
Is this a problem with vSphere, or a bug within graylog2? I've not come across anyone else with this problem, so not sure where to start looking.
It could be that VSphere is not conforming to the expected syslog format that Graylog2 is expecting - usually in these instance, I would set up a logstash instance on the Graylog2 server to receive the incoming log stream, and use a grok filter to munge the logs into a format that Graylog2 will accept in the same manner that your other syslog entries are being received.
You could configure Logstash to listen on (for example) port 1514, and have an output plugin that sends to Graylog2 - http://logstash.net/docs/1.4.2/outputs/gelf ... this would also allow you to inspect the log's being received, to see whether they are in the same format as the other syslog entries being received.