I have a central logsever, my Graylog server I wrote about earlier. I have no idea how to correctly use Graylog yet. But I do know I need some data, so I went through all my Debian servers and configured them all to send logs to my greylog server using rsyslog.

Configure rsyslog

This is very straight forward task to do, just need a few lines in one config file.

I created the config file /etc/rsyslog.d/graylog.conf and added lines for what to log remotely.

# /etc/rsyslog.d/graylog.conf
auth,authpriv.*	@srv-graylog.home.lan:514
daemon.warn		@srv-graylog.home.lan:514
kern.warn		@srv-graylog.home.lan:514
lpr.*			@srv-graylog.home.lan:514
mail.*			@srv-graylog.home.lan:514
user.*			@srv-graylog.home.lan:514

I added a multiple lines so I can comment out lines or change the level of detail I want in my graylog. I don’t want to much spam, docker did spam a lot when I had daemon.* so I changed that one to daemon.warn.