You can use the graylog2() destination and a Graylog Extended Log Format (GELF) template to send syslog messages to Graylog.
You can forward simple name-value pairs where the name starts with a dot or underscore. If names of your name-value pairs include dots other than the first character, you should use JSON formatting directly instead of the GELF template and send logs to a raw TCP port in Graylog, which can then extract fields from nested JSON.
graylog2();
You can send syslog messages to Graylog using the graylog2() destination. The graylog2() destination uses the GELF template, the native data format of Graylog.
On the Graylog side, configure a GELF TCP input. For more information, see the relevant Graylog documentation.
On the syslog-ng side, configure the name or IP address of the host running Graylog.
destination d_graylog { graylog2( host("172.16.146.142") ); };
If you parsed your messages using syslog-ng, the template also forwards any name-value pairs where the name starts with a dot or underscore.
|
NOTE:
If there is a dot in a field name other than the first character, syslog-ng creates nested JSON while formatting the message. Nested JSON is not automatically parsed in GELF messages. |
While sending nested JSON inside GELF is possible, it is not convenient. If you use parsing and normalization in syslog-ng and dot notation in field names, use pure JSON instead of GELF to forward your messages.
On the Graylog side, create a new raw TCP input.
Still in Graylog, once the raw TCP input is ready, add a JSON extractor to it.
On the syslog-ng side, use a network destination combined with a template utilizing format-json as shown in the example below:
destination d_jsontcp { network( "172.16.146.142" port("5555") transport(tcp) template("$(format-json --scope all-nv-pairs)\n") ); };
© 2025 One Identity LLC. ALL RIGHTS RESERVED. 使用条款 隐私 Cookie Preference Center