Logging Scenario - Send Local Logs to Graylog

Last modified on March 24, 2023

Scenario: You want to save gateway/relay logs to Graylog. This guide presents a simple method to send all gateway/relay logs to your Graylog log server using Filebeat as a “sidecar”.

As with all gateway/relay logs, the logs stored on the gateway/relay will not include Admin UI activities, which can be accessed via the sdm audit activities command.

Setting up the export

Enable relay logging in the Admin UI under Settings / Log Encryption & Storage. Ensure logging is set to FILE.
Create a standard “Filebeat on Linux” Sidecar/Collector as per the Graylog documentation.

Use the following configuration for your Collector:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

filebeat.inputs:
- input_type: log
paths:
    - /home/ubuntu/.sdm/logs/*.log

type: log
output.logstash:
hosts: ["52.33.177.178:5044"]
path:
data: /var/lib/graylog-sidecar/collectors/filebeat/data
logs: /var/lib/graylog-sidecar/collectors/filebeat/log

Modify the paths value to use the absolute path to your SDM logs folder.
Modify the hosts value to use the host/IP and port for your Graylog server, so that the Sidecar can push logs to it.
Check your Graylog console and look for messages like this:
Graylog Console

Logging Scenario - Send Local Logs to Graylog

Setting up the export #

Setting up the export