{"id":229,"date":"2016-11-18T17:50:48","date_gmt":"2016-11-18T22:50:48","guid":{"rendered":"http:\/\/onebyte.org\/blog\/?p=229"},"modified":"2017-12-05T21:51:09","modified_gmt":"2017-12-06T02:51:09","slug":"229","status":"publish","type":"post","link":"https:\/\/www.onebyte.org\/blog\/2016\/11\/18\/229\/","title":{"rendered":"The incomplete path to a syslog"},"content":{"rendered":"<p>The path to a great syslog! My first full-fledged syslog deployment should be interesting, and an educational read for anyone who&#8217;s on a similar path.<\/p>\n<p class=\"\">**sips coffee**<\/p>\n<p>Ok, off to the races!<\/p>\n<h4>Identify what your business needs are.<\/h4>\n<ul>\n<li>Why do you need a syslog server?<\/li>\n<li>What&#8217;s your budget?<\/li>\n<li>Can your existing network meet the demand of a syslog?<\/li>\n<li>Number of devices logging and messages per second<\/li>\n<li>What is your desired retention period?<\/li>\n<li>Understand the topology of your network and where you may need forwarders setup.<\/li>\n<li>What are you looking for as sources? See my <a href=\"#sources\">SOURCES <\/a>list for an example.<\/li>\n<\/ul>\n<h4>Top Syslog options (in my preferred order):<\/h4>\n<ul>\n<li>Splunk (paid &#8211; free up to 500mb per day)<\/li>\n<li>Graylog (opensource)<\/li>\n<li>Rsyslog (opensource)<\/li>\n<li>ELK (Elasticsearch, Logstash, Kibana) (opensource)<\/li>\n<li>Logz.io (paid)<\/li>\n<li>Elsa (opensource)<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_1');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_1');\" ><sup id=\"footnote_plugin_tooltip_229_1_1\" class=\"footnote_plugin_tooltip_text\">[1]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_1\" class=\"footnote_tooltip\"><a href=\"https:\/\/github.com\/mcholste\/elsa\"><span class=\"footnote_url_wrap\">https:\/\/github.com\/mcholste\/elsa<\/span><\/a><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_1').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_1', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script><\/li>\n<li>SolarWinds LEM (paid)<\/li>\n<li>Kiwi (paid)<\/li>\n<li>AlertLogic (paid)<\/li>\n<\/ul>\n<p>Out of all the options, I ended up choosing Graylog. The deciding factor for me was cost. Graylog is a capable solution, especially Graylog2. From my research there were quite a few issues with the server falling over after 2k+ messages per second. However that was addressed with Graylog2.x. I&#8217;m anticipating\u00a0 throwing a RSYSLOG server into the mix for long-term archival of logs while the Graylog server will handle recent events (&lt;3 months).<\/p>\n<p>Once you&#8217;ve decided which stack you&#8217;re moving forward with install it! The remainder of this document will be encompassing ELK\/Graylog and my experiences with it. During demoing the many products, Splunk was my favorite. The best thing about it was that it had pre-built apps that would organize my data into something meaningful. With Graylog, or other opensource solutions, you&#8217;ll have to manually create those visuals and streams.<\/p>\n<p>When I first installed Graylog OVA for VMware it didn&#8217;t go well. My experience was a very negative one, nothing seemed to be functioning properly. The largest issue was that elasticsearch wasn&#8217;t able to start. There was also a number of libraries missing on the distro. I took the night off and attempted again a few days later with a freshly downloaded OVA. Spun it up and everything worked per the getting started guide.<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_2');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_2');\" ><sup id=\"footnote_plugin_tooltip_229_1_2\" class=\"footnote_plugin_tooltip_text\">[2]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_2\" class=\"footnote_tooltip\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/getting_started\/web_console.html<\/span><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_2').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_2', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script>\n<p><b>Note: if you change IP (I went from DHCP to static) you need to run &#8220;sudo graylog-ctl reconfigure&#8221;<\/b><\/p>\n<p>Once I wrapped up the getting started everything &#8216;just worked&#8217;. I created a few inputs and pointed my equipment accordingly. Data was showing up! Success! I ended up creating a few dashboards, mostly just to make sure everything was working.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-230\" src=\"http:\/\/onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_16_29-Graylog-Web-Interface.png\" alt=\"Graylog_dashboard\" width=\"496\" height=\"379\" srcset=\"https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_16_29-Graylog-Web-Interface.png 2109w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_16_29-Graylog-Web-Interface-300x229.png 300w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_16_29-Graylog-Web-Interface-768x587.png 768w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_16_29-Graylog-Web-Interface-1024x782.png 1024w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_16_29-Graylog-Web-Interface-105x80.png 105w\" sizes=\"auto, (max-width: 496px) 100vw, 496px\" \/><\/p>\n<h4>Tips!<\/h4>\n<ul>\n<li>Make sure you change your default linux user password and web user admin password!<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_3');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_3');\" ><sup id=\"footnote_plugin_tooltip_229_1_3\" class=\"footnote_plugin_tooltip_text\">[3]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_3\" class=\"footnote_tooltip\"><a href=\"http:\/\/docs.graylog.org\/en\/2.1\/pages\/configuration\/graylog_ctl.html?highlight=admin%20password\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/configuration\/graylog_ctl.html?highlight=admin%20password<\/span><\/a><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_3').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_3', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script><\/li>\n<li>Follow the hardening guides! Hardedning<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_4');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_4');\" ><sup id=\"footnote_plugin_tooltip_229_1_4\" class=\"footnote_plugin_tooltip_text\">[4]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_4\" class=\"footnote_tooltip\"><a href=\"http:\/\/docs.graylog.org\/en\/2.1\/pages\/installation\/virtual_machine_appliances.html#vmware-tools\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/installation\/virtual_machine_appliances.html#vmware-tools<\/span><\/a><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_4').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_4', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script> and Securing<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_5');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_5');\" ><sup id=\"footnote_plugin_tooltip_229_1_5\" class=\"footnote_plugin_tooltip_text\">[5]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_5\" class=\"footnote_tooltip\"><a href=\"http:\/\/docs.graylog.org\/en\/2.1\/pages\/securing.html\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/securing.html<\/span><\/a><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_5').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_5', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script>.<\/li>\n<li>Back your machine up! MongoDB\/Elastic backup<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_6');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_6');\" ><sup id=\"footnote_plugin_tooltip_229_1_6\" class=\"footnote_plugin_tooltip_text\">[6]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_6\" class=\"footnote_tooltip\"><a href=\"http:\/\/docs.graylog.org\/en\/2.1\/pages\/configuration\/backup.html\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/configuration\/backup.html<\/span><\/a><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_6').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_6', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script><\/li>\n<\/ul>\n<p>As I find more time I&#8217;ll continue to add more to this article outlining additional tips.<\/p>\n<h4><a id=\"sources\"><\/a>Syslog sources:<\/h4>\n<ul>\n<li>Windows event logs<\/li>\n<li>Firewalls<\/li>\n<li>WAPs<\/li>\n<li>Switches<\/li>\n<li>Antivirus<\/li>\n<li>VMWARE<\/li>\n<li>Cameras and DVR<\/li>\n<li>Linux Servers<\/li>\n<li>Software\n<ul type=\"circle\">\n<li>Exchange<\/li>\n<li>ADSU<\/li>\n<li>DNS<\/li>\n<li>DHCP<\/li>\n<li>Backup<\/li>\n<li>Citrix<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>OVA storage tips and advice:<\/h4>\n<p>The default OVA installation of Graylog has a caveat, IDE storage. I installed the default 20GB storage for my graylog testing and found that it quickly filled up (within two weeks of logging 5 devices). I attempted to extend the disk, but with vmware, you cannot extend IDE disks, only SCSI. I ended up having to add an additional disk (SCSI so I can extend) to the VM. To extend your disk after it is low on space run the command:<\/p>\n<pre class=\"lang:default decode:true \">ubuntu@graylog:~$ sudo resize2fs \/dev\/sdb\r\nresize2fs 1.42.9 (4-Feb-2014)\r\nFilesystem at \/dev\/sdb is mounted on \/elasticsearch_data; on-line resizing required\r\nold_desc_blocks = 2, new_desc_blocks = 7\r\nThe filesystem on \/dev\/sdb is now 26214400 blocks long.<\/pre>\n<p>This added an additional 80GB to my 20GB elasticsearch_data partition \/dev\/sdb\/. If you find your state is red and you have unassigned shards you may want to follow a great guide<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_7');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_7');\" ><sup id=\"footnote_plugin_tooltip_229_1_7\" class=\"footnote_plugin_tooltip_text\">[7]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_7\" class=\"footnote_tooltip\"><span class=\"footnote_url_wrap\">https:\/\/t37.net\/how-to-fix-your-elasticsearch-cluster-stuck-in-initializing-shards-mode.html<\/span><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_7').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_7', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script> to resolve.<\/p>\n<pre class=\"lang:default decode:true \">Check status:\r\ncurl -XGET http:\/\/localhost:9200\/_cluster\/health?pretty\r\n\r\nGet shard assignment:\r\ncurl -XGET http:\/\/localhost:9200\/_cat\/shards\r\n\r\n<\/pre>\n<p>When running the script that I linked to T37 above, I ran into issues. I had to enclose the $shard in &#8221;. I also didn&#8217;t realize my node name was &#8216;Bling&#8217; which I believe is a default. Below is the script I ran:<\/p>\n<pre class=\"lang:default decode:true \">for shard in $(curl -XGET http:\/\/localhost:9200\/_cat\/shards | grep UNASSIGNED | awk '{print $2}'); do\r\n    curl -XPOST 'localhost:9200\/_cluster\/reroute' -d '{\r\n        \"commands\" : [ {\r\n              \"allocate\" : {\r\n                  \"index\" : \"graylog_0\", \r\n                  \"shard\" : '$shard', \r\n                  \"node\" : \"Bling\", \r\n                  \"allow_primary\" : true\r\n              }\r\n            }\r\n        ]\r\n    }'\r\n    sleep 5\r\ndone<\/pre>\n<p>&nbsp;<\/p>\n<p>Example procedure for an OVA appliance on VMWare:<\/p>\n<div class=\"wy-table-responsive\">\n<table class=\"docutils\" border=\"1\">\n<colgroup>\n<col width=\"51%\" \/>\n<col width=\"49%\" \/><\/colgroup>\n<thead valign=\"bottom\">\n<tr class=\"row-odd\" style=\"height: 24px;\">\n<th class=\"head\" style=\"width: 70px; height: 24px;\">Action<\/th>\n<th class=\"head\" style=\"width: 1293px; height: 24px;\">Explanation<\/th>\n<\/tr>\n<\/thead>\n<tbody valign=\"top\">\n<tr class=\"row-even\" style=\"height: 24px;\">\n<td style=\"width: 70px; height: 24px;\">shutdown the VM<\/td>\n<td style=\"width: 1293px; height: 24px;\">Preparation for creating a consistend snapshot<\/td>\n<\/tr>\n<tr class=\"row-odd\" style=\"height: 24px;\">\n<td style=\"width: 70px; height: 24px;\">take a snapshot through VMWare<\/td>\n<td style=\"width: 1293px; height: 24px;\">Use the VMWare GUI to create a snapshot of the VM in case something goes wrong<\/td>\n<\/tr>\n<tr class=\"row-even\" style=\"height: 48px;\">\n<td style=\"width: 70px; height: 48px;\">attach an additional hard drive<\/td>\n<td style=\"width: 1293px; height: 48px;\">Use the VMWare GUI to attach another harddrive suitable for the amount of logs you want to store<\/td>\n<\/tr>\n<tr class=\"row-odd\" style=\"height: 24px;\">\n<td style=\"width: 70px; height: 24px;\">start the VM again and follow these steps:<\/td>\n<td style=\"width: 1293px; height: 24px;\"><\/td>\n<\/tr>\n<tr class=\"row-even\" style=\"height: 24px;\">\n<td style=\"width: 70px; height: 24px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">graylog-ctl<\/span> <span class=\"pre\">stop<\/span><\/code><\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 24px;\">Stop all running services to prevent disk access<\/td>\n<\/tr>\n<tr class=\"row-odd\" style=\"height: 14.6563px;\">\n<td style=\"width: 70px; height: 14.6563px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">lshw<\/span> <span class=\"pre\">-class<\/span> <span class=\"pre\">disk<\/span><\/code><\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 14.6563px;\">Check for the <cite>logical name<\/cite> of the new hard drive. Usually this is <cite>\/dev\/sdb<\/cite><\/td>\n<\/tr>\n<tr class=\"row-even\" style=\"height: 192px;\">\n<td style=\"width: 70px; height: 192px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">parted<\/span> <span class=\"pre\">-a<\/span> <span class=\"pre\">optimal<\/span> <span class=\"pre\">\/dev\/sdb<\/span> <span class=\"pre\">mklabel<\/span> <span class=\"pre\">gpt<\/span><\/code><\/div>\n<div class=\"line\"><\/div>\n<div class=\"line\">(A reboot may be necessary at this point)<\/div>\n<div class=\"line\"><\/div>\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">parted<\/span> <span class=\"pre\">-a<\/span> <span class=\"pre\">optimal<\/span> <span class=\"pre\">--<\/span> <span class=\"pre\">\/dev\/sdb<\/span> <span class=\"pre\">unit<\/span> <span class=\"pre\">\\\\<\/span><\/code><\/div>\n<div class=\"line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">compact<\/span> <span class=\"pre\">mkpart<\/span> <span class=\"pre\">primary<\/span> <span class=\"pre\">ext3<\/span> <span class=\"pre\">\"1\"<\/span> <span class=\"pre\">\"-1\"<\/span><\/code><\/div>\n<div class=\"line\"><\/div>\n<\/div>\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">mkfs.ext4<\/span> <span class=\"pre\">\/dev\/sdb1<\/span><\/code><\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 192px;\">Partition and format new disk<\/td>\n<\/tr>\n<tr class=\"row-odd\" style=\"height: 72px;\">\n<td style=\"width: 70px; height: 72px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">mkdir<\/span> <span class=\"pre\">\/mnt\/tmp<\/span><\/code><\/div>\n<div class=\"line\"><\/div>\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">mount<\/span> <span class=\"pre\">\/dev\/sdb1<\/span> <span class=\"pre\">\/mnt\/tmp<\/span><\/code><\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 72px;\">Mount disk to temporary mount point<\/td>\n<\/tr>\n<tr class=\"row-even\" style=\"height: 72px;\">\n<td style=\"width: 70px; height: 72px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">cd<\/span> <span class=\"pre\">\/var\/opt\/graylog\/data<\/span><\/code><\/div>\n<div class=\"line\"><\/div>\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">cp<\/span> <span class=\"pre\">-ax<\/span> <span class=\"pre\">*<\/span> <span class=\"pre\">\/mnt\/tmp\/<\/span><\/code><\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 72px;\">Copy current data to new disk<\/td>\n<\/tr>\n<tr class=\"row-odd\" style=\"height: 48px;\">\n<td style=\"width: 70px; height: 48px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">diff<\/span> <span class=\"pre\">-qr<\/span> <span class=\"pre\">--suppress-common-lines<\/span> <span class=\"pre\">\\\\<\/span><\/code><\/div>\n<div class=\"line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">\/var\/opt\/graylog\/data<\/span> <span class=\"pre\">\/mnt\/tmp<\/span><\/code><\/div>\n<\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 48px;\">Compare both folders. Output should be: <cite>Only in \/mnt\/tmp: lost+found<\/cite><\/td>\n<\/tr>\n<tr class=\"row-even\" style=\"height: 24px;\">\n<td style=\"width: 70px; height: 24px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">rm<\/span> <span class=\"pre\">-rf<\/span> <span class=\"pre\">\/var\/opt\/graylog\/data\/*<\/span><\/code><\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 24px;\">Delete old data<\/td>\n<\/tr>\n<tr class=\"row-odd\" style=\"height: 72px;\">\n<td style=\"width: 70px; height: 72px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">umount<\/span> <span class=\"pre\">\/mnt\/tmp<\/span><\/code><\/div>\n<div class=\"line\"><\/div>\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">mount<\/span> <span class=\"pre\">\/dev\/sdb1<\/span> <span class=\"pre\">\/var\/opt\/graylog\/data<\/span><\/code><\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 72px;\">Mount new disk over data folder<\/td>\n<\/tr>\n<tr class=\"row-even\" style=\"height: 96px;\">\n<td style=\"width: 70px; height: 96px;\">\n<div class=\"first last line-block\">\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">echo<\/span> <span class=\"pre\">\"\/dev\/sdb1<\/span> <span class=\"pre\">\/var\/opt\/graylog\/data<\/span> <span class=\"pre\">ext4<\/span> <span class=\"pre\">\\\\<\/span><\/code><\/div>\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">defaults<\/span> <span class=\"pre\">0<\/span> <span class=\"pre\">0\"<\/span> <span class=\"pre\">\\|<\/span> <span class=\"pre\">sudo<\/span> <span class=\"pre\">tee<\/span> <span class=\"pre\">-a<\/span> <span class=\"pre\">\/etc\/fstab<\/span><\/code><\/div>\n<div class=\"line\"><\/div>\n<div class=\"line\"><code class=\"docutils literal\"><span class=\"pre\">sudo<\/span> <span class=\"pre\">shutdown<\/span> <span class=\"pre\">-r<\/span> <span class=\"pre\">now<\/span><\/code><\/div>\n<\/div>\n<\/td>\n<td style=\"width: 1293px; height: 96px;\">Make change permanent<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Once the storage has been added you need to modify the configuration file path of elasticsearch to reflect the new storage. VIM the config file at \/opt\/graylog\/elasticsearch\/config\/elasticsearch.yml. Look for the &#8216;path.data&#8217; attribute in the document and add the new mount path. Keep in mind that if you&#8217;re replacing the data folder you copy all the contents of the existing data folder to the new path. NOTE: Before you modify the elasticsearch config file run &#8216;sudo graylog-ctl stop&#8217; to stop the processes. Modify the file and run &#8216;sudo graylog-ctl start&#8217; to start everything back up. I had a second session open tailing the elasticsearch log file:<\/p>\n<pre class=\"lang:default decode:true\">root@graylog:\/var\/log\/graylog\/elasticsearch# tail -f graylog.log\r\n[2016-11-29 15:44:21,872][INFO ][cluster.service          ] [Shrunken Bones] new_master {Shrunken Bones}{FVTu19qzQlq4W4Z3dRvuHg}{10.13.37.22}{10.13.37.22:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)\r\n[2016-11-29 15:44:21,900][INFO ][http                     ] [Shrunken Bones] publish_address {10.13.37.22:9200}, bound_addresses {10.13.37.22:9200}\r\n[2016-11-29 15:44:21,901][INFO ][node                     ] [Shrunken Bones] started\r\n[2016-11-29 15:44:22,100][INFO ][gateway                  ] [Shrunken Bones] recovered [1] indices into cluster_state\r\n[2016-11-29 15:44:29,704][INFO ][cluster.service          ] [Shrunken Bones] added {{graylog-f3016b49-5173-4ce5-bad3-fd88b88b2f53}{B90Y0lr-Qjin_Q24nER_gw}{10.13.37.22}{10.13.37.22:9350}{client=true, data=false, master=false},}, reason: zen-disco-join(join from node[{graylog-f3016b49-5173-4ce5-bad3-fd88b88b2f53}{B90Y0lr-Qjin_Q24nER_gw}{10.13.37.22}{10.13.37.22:9350}{client=true, data=false, master=false}])\r\n[2016-11-29 15:45:14,043][INFO ][cluster.routing.allocation] [Shrunken Bones] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[graylog_1][3]] ...]).\r\n[2016-11-29 15:46:42,385][INFO ][node                     ] [Shrunken Bones] stopping ...\r\n[2016-11-29 15:46:45,545][INFO ][node                     ] [Shrunken Bones] stopped\r\n[2016-11-29 15:46:45,552][INFO ][node                     ] [Shrunken Bones] closing ...\r\n[2016-11-29 15:46:45,606][INFO ][node                     ] [Shrunken Bones] closed\r\n[2016-11-29 15:56:32,569][INFO ][node                     ] [Darkoth] version[2.3.1], pid[11395], build[bd98092\/2016-04-04T12:25:05Z]\r\n[2016-11-29 15:56:32,574][INFO ][node                     ] [Darkoth] initializing ...\r\n[2016-11-29 15:56:33,618][INFO ][plugins                  ] [Darkoth] modules [reindex, lang-expression, lang-groovy], plugins [kopf], sites [kopf]\r\n[2016-11-29 15:56:33,687][INFO ][env                      ] [Darkoth] using [1] data paths, mounts [[\/elasticsearch_data (\/dev\/sdb)]], net usable_space [9.4gb], net total_space [19.5gb], spins? [possibly], types [ext4]\r\n[2016-11-29 15:56:33,688][INFO ][env                      ] [Darkoth] heap size [2.3gb], compressed ordinary object pointers [true]\r\n[2016-11-29 15:56:33,688][WARN ][env                      ] [Darkoth] max file descriptors [64000] for elasticsearch process likely too low, consider increasing to at least [65536]\r\n[2016-11-29 15:56:37,394][INFO ][node                     ] [Darkoth] initialized\r\n[2016-11-29 15:56:37,394][INFO ][node                     ] [Darkoth] starting ...\r\n[2016-11-29 15:56:37,584][INFO ][transport                ] [Darkoth] publish_address {10.13.37.22:9300}, bound_addresses {10.13.37.22:9300}\r\n[2016-11-29 15:56:37,597][INFO ][discovery                ] [Darkoth] graylog\/kRTWCFAUSAyfWd-FRj5TWA\r\n[2016-11-29 15:56:47,686][INFO ][cluster.service          ] [Darkoth] new_master {Darkoth}{kRTWCFAUSAyfWd-FRj5TWA}{10.13.37.22}{10.13.37.22:9300}, reason: zen-disco-join(elected_as_master, [0] joins received)\r\n[2016-11-29 15:56:47,770][INFO ][http                     ] [Darkoth] publish_address {10.13.37.22:9200}, bound_addresses {10.13.37.22:9200}\r\n[2016-11-29 15:56:47,770][INFO ][node                     ] [Darkoth] started\r\n[2016-11-29 15:56:47,796][INFO ][gateway                  ] [Darkoth] recovered [1] indices into cluster_state\r\n[2016-11-29 15:56:48,494][INFO ][cluster.service          ] [Darkoth] added {{graylog-f3016b49-5173-4ce5-bad3-fd88b88b2f53}{vOBRN3MKT9eLs-N1-lbdsw}{10.13.37.22}{10.13.37.22:9350}{client=true, data=false, master=false},}, reason: zen-disco-join(join from node[{graylog-f3016b49-5173-4ce5-bad3-fd88b88b2f53}{vOBRN3MKT9eLs-N1-lbdsw}{10.13.37.22}{10.13.37.22:9350}{client=true, data=false, master=false}])\r\n[2016-11-29 15:56:50,269][INFO ][cluster.routing.allocation] [Darkoth] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[graylog_0][3], [graylog_0][1], [graylog_0][2], [graylog_0][1], [graylog_0][2], [graylog_0][3]] ...]).\r\n<\/pre>\n<p>&nbsp;<\/p>\n<\/div>\n<h4>Windows Active Directory setup:<\/h4>\n<p>To setup Windows reporting (AD and event logs) I found the following add-on<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_8');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_8');\" ><sup id=\"footnote_plugin_tooltip_229_1_8\" class=\"footnote_plugin_tooltip_text\">[8]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_8\" class=\"footnote_tooltip\"><span class=\"footnote_url_wrap\">https:\/\/marketplace.graylog.org\/addons\/750b88ea-67f7-47b1-9a6c-cbbc828d9e25<\/span><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_8').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_8', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script>. Read the readme and requirements. I installed the NXLog<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_9');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_9');\" ><sup id=\"footnote_plugin_tooltip_229_1_9\" class=\"footnote_plugin_tooltip_text\">[9]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_9\" class=\"footnote_tooltip\"><a href=\"https:\/\/nxlog.co\/products\/nxlog-community-edition\/download\"><span class=\"footnote_url_wrap\">https:\/\/nxlog.co\/products\/nxlog-community-edition\/download<\/span><\/a><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_9').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_9', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script> agent onto my 2012r2 domain controller. I was able to use the default nxlog configuration below (different from the nxlog installed default config).<\/p>\n<pre class=\"lang:default decode:true\">define ROOT C:\\Program Files (x86)\\nxlog\r\n\r\nModuledir %ROOT%\\modules\r\nCacheDir %ROOT%\\data\r\nPidfile %ROOT%\\data\\nxlog.pid\r\nSpoolDir %ROOT%\\data\r\nLogFile %ROOT%\\data\\nxlog.log\r\n\r\n&lt;Extension gelf&gt;\r\n    Module xm_gelf\r\n&lt;\/Extension&gt;\r\n&lt;Input in&gt;\r\n    # For windows vista\/2008 and above use:\r\n    Module      im_msvistalog\r\n\r\n    # For windows 2003 and earlier use the following:\r\n    #   Module      im_mseventlog\r\n&lt;\/Input&gt;\r\n\r\n&lt;Output out&gt; \r\n    Module      om_udp\r\n    Host        graylog.server.com\r\n    Port        5141\r\n    OutputType  GELF\r\n&lt;\/Output&gt;\r\n\r\n&lt;Route 1&gt;\r\n    Path        in =&gt; out\r\n&lt;\/Route&gt;<\/pre>\n<p>As you can see under &lt;Output out&gt; in the above context you need to create a input on your Graylog server for GELF UDP port 5141. If you&#8217;re having any issues with data showing up check out the logs of nxlog:\u00a0C:\\Program Files (x86)\\nxlog\\data\\nxlog.log. To install the plugin I navigated to the upload at http:\/\/yoursyslogserver.com\/system\/contentpacks\/.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-249\" src=\"http:\/\/onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-15_29_16-Graylog-Web-Interface.png\" alt=\"graylog-web-interface\" width=\"2638\" height=\"885\" srcset=\"https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-15_29_16-Graylog-Web-Interface.png 2638w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-15_29_16-Graylog-Web-Interface-300x101.png 300w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-15_29_16-Graylog-Web-Interface-768x258.png 768w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-15_29_16-Graylog-Web-Interface-1024x344.png 1024w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-15_29_16-Graylog-Web-Interface-238x80.png 238w\" sizes=\"auto, (max-width: 2638px) 100vw, 2638px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-244 \" src=\"http:\/\/onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-14_52_53-Graylog-Web-Interface-300x148.png\" alt=\"graylog-web-interface\" width=\"367\" height=\"181\" srcset=\"https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-14_52_53-Graylog-Web-Interface-300x148.png 300w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-14_52_53-Graylog-Web-Interface-768x379.png 768w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-14_52_53-Graylog-Web-Interface-1024x505.png 1024w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-14_52_53-Graylog-Web-Interface-162x80.png 162w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-21-14_52_53-Graylog-Web-Interface.png 1276w\" sizes=\"auto, (max-width: 367px) 100vw, 367px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-243\" src=\"http:\/\/onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/Graylog-Web-Interface.png\" alt=\"graylog-web-interface\" width=\"3097\" height=\"542\" srcset=\"https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/Graylog-Web-Interface.png 3097w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/Graylog-Web-Interface-300x53.png 300w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/Graylog-Web-Interface-768x134.png 768w, https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/Graylog-Web-Interface-1024x179.png 1024w\" sizes=\"auto, (max-width: 3097px) 100vw, 3097px\" \/><\/p>\n<p>Here is the .conf for Windows eventlogs<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_10');\" onkeypress=\"footnote_moveToReference_229_1('footnote_plugin_reference_229_1_10');\" ><sup id=\"footnote_plugin_tooltip_229_1_10\" class=\"footnote_plugin_tooltip_text\">[10]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_229_1_10\" class=\"footnote_tooltip\"><a href=\"https:\/\/gist.github.com\/tom-henderson\/dc9572a973003db18019#file-nxlog-conf\"><span class=\"footnote_url_wrap\">https:\/\/gist.github.com\/tom-henderson\/dc9572a973003db18019#file-nxlog-conf<\/span><\/a><\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_229_1_10').tooltip({ tip: '#footnote_plugin_tooltip_text_229_1_10', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script>:<\/p>\n<pre class=\"lang:default decode:true \">define ROOT C:\\Program Files (x86)\\nxlog\r\n\r\nModuledir %ROOT%\\modules\r\nCacheDir %ROOT%\\data\r\nPidfile %ROOT%\\data\\nxlog.pid\r\nSpoolDir %ROOT%\\data\r\nLogFile %ROOT%\\data\\nxlog.log\r\n\r\n&lt;Extension gelf&gt;\r\n    Module      xm_gelf\r\n&lt;\/Extension&gt;\r\n \r\n&lt;Input in&gt;\r\n    # Use 'im_mseventlog' for Windows XP and 2003\r\n    Module      im_msvistalog\r\n   Exec if ($EventID == 4202 or $EventID == 4208 or $EventID == 4302 or $EventID == 4304 or $EventID == 5004) drop();\\\r\n   else{\\\r\n        if ( $EventType == \"INFO\" ) $SyslogSeverityValue = 6;\\\r\n        if ( $EventType == \"WARNING\" ) $SyslogSeverityValue = 4;\\\r\n        if ( $EventType == \"ERROR\" ) $SyslogSeverityValue = 3;\\\r\n    }\r\n&lt;\/Input&gt;\r\n \r\n&lt;Output out&gt;\r\n    Module      om_udp\r\n    Host        syslog.yourwebsite.com\r\n    Port        5414\r\n    OutputType  GELF\r\n&lt;\/Output&gt;\r\n \r\n&lt;Route 1&gt;\r\n    Path        in =&gt; out\r\n&lt;\/Route&gt;<\/pre>\n<p>&nbsp;<\/p>\n<div class=\"speaker-mute footnotes_reference_container\"> <div class=\"footnote_container_prepare\"><p><span role=\"button\" tabindex=\"0\" class=\"footnote_reference_container_label pointer\" onclick=\"footnote_expand_collapse_reference_container_229_1();\">Notes & References<\/span><span role=\"button\" tabindex=\"0\" class=\"footnote_reference_container_collapse_button\" style=\"display: none;\" onclick=\"footnote_expand_collapse_reference_container_229_1();\">[<a id=\"footnote_reference_container_collapse_button_229_1\">+<\/a>]<\/span><\/p><\/div> <div id=\"footnote_references_container_229_1\" style=\"\"><table class=\"footnotes_table footnote-reference-container\"><caption class=\"accessibility\">Notes & References<\/caption> <tbody> \r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_1');\"><a id=\"footnote_plugin_reference_229_1_1\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>1<\/a><\/th> <td class=\"footnote_plugin_text\"><a href=\"https:\/\/github.com\/mcholste\/elsa\"><span class=\"footnote_url_wrap\">https:\/\/github.com\/mcholste\/elsa<\/span><\/a><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_2');\"><a id=\"footnote_plugin_reference_229_1_2\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>2<\/a><\/th> <td class=\"footnote_plugin_text\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/getting_started\/web_console.html<\/span><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_3');\"><a id=\"footnote_plugin_reference_229_1_3\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>3<\/a><\/th> <td class=\"footnote_plugin_text\"><a href=\"http:\/\/docs.graylog.org\/en\/2.1\/pages\/configuration\/graylog_ctl.html?highlight=admin%20password\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/configuration\/graylog_ctl.html?highlight=admin%20password<\/span><\/a><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_4');\"><a id=\"footnote_plugin_reference_229_1_4\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>4<\/a><\/th> <td class=\"footnote_plugin_text\"><a href=\"http:\/\/docs.graylog.org\/en\/2.1\/pages\/installation\/virtual_machine_appliances.html#vmware-tools\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/installation\/virtual_machine_appliances.html#vmware-tools<\/span><\/a><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_5');\"><a id=\"footnote_plugin_reference_229_1_5\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>5<\/a><\/th> <td class=\"footnote_plugin_text\"><a href=\"http:\/\/docs.graylog.org\/en\/2.1\/pages\/securing.html\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/securing.html<\/span><\/a><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_6');\"><a id=\"footnote_plugin_reference_229_1_6\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>6<\/a><\/th> <td class=\"footnote_plugin_text\"><a href=\"http:\/\/docs.graylog.org\/en\/2.1\/pages\/configuration\/backup.html\"><span class=\"footnote_url_wrap\">http:\/\/docs.graylog.org\/en\/2.1\/pages\/configuration\/backup.html<\/span><\/a><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_7');\"><a id=\"footnote_plugin_reference_229_1_7\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>7<\/a><\/th> <td class=\"footnote_plugin_text\"><span class=\"footnote_url_wrap\">https:\/\/t37.net\/how-to-fix-your-elasticsearch-cluster-stuck-in-initializing-shards-mode.html<\/span><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_8');\"><a id=\"footnote_plugin_reference_229_1_8\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>8<\/a><\/th> <td class=\"footnote_plugin_text\"><span class=\"footnote_url_wrap\">https:\/\/marketplace.graylog.org\/addons\/750b88ea-67f7-47b1-9a6c-cbbc828d9e25<\/span><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_9');\"><a id=\"footnote_plugin_reference_229_1_9\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>9<\/a><\/th> <td class=\"footnote_plugin_text\"><a href=\"https:\/\/nxlog.co\/products\/nxlog-community-edition\/download\"><span class=\"footnote_url_wrap\">https:\/\/nxlog.co\/products\/nxlog-community-edition\/download<\/span><\/a><\/td><\/tr>\r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_229_1('footnote_plugin_tooltip_229_1_10');\"><a id=\"footnote_plugin_reference_229_1_10\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>10<\/a><\/th> <td class=\"footnote_plugin_text\"><a href=\"https:\/\/gist.github.com\/tom-henderson\/dc9572a973003db18019#file-nxlog-conf\"><span class=\"footnote_url_wrap\">https:\/\/gist.github.com\/tom-henderson\/dc9572a973003db18019#file-nxlog-conf<\/span><\/a><\/td><\/tr>\r\n\r\n <\/tbody> <\/table> <\/div><\/div><script type=\"text\/javascript\"> function footnote_expand_reference_container_229_1() { jQuery('#footnote_references_container_229_1').show(); jQuery('#footnote_reference_container_collapse_button_229_1').text('\u2212'); } function footnote_collapse_reference_container_229_1() { jQuery('#footnote_references_container_229_1').hide(); jQuery('#footnote_reference_container_collapse_button_229_1').text('+'); } function footnote_expand_collapse_reference_container_229_1() { if (jQuery('#footnote_references_container_229_1').is(':hidden')) { footnote_expand_reference_container_229_1(); } else { footnote_collapse_reference_container_229_1(); } } function footnote_moveToReference_229_1(p_str_TargetID) { footnote_expand_reference_container_229_1(); var l_obj_Target = jQuery('#' + p_str_TargetID); if (l_obj_Target.length) { jQuery( 'html, body' ).delay( 0 ); jQuery('html, body').animate({ scrollTop: l_obj_Target.offset().top - window.innerHeight * 0.2 }, 380); } } function footnote_moveToAnchor_229_1(p_str_TargetID) { footnote_expand_reference_container_229_1(); var l_obj_Target = jQuery('#' + p_str_TargetID); if (l_obj_Target.length) { jQuery( 'html, body' ).delay( 0 ); jQuery('html, body').animate({ scrollTop: l_obj_Target.offset().top - window.innerHeight * 0.2 }, 380); } }<\/script>","protected":false},"excerpt":{"rendered":"<p>The path to a great syslog! My first full-fledged syslog deployment should be interesting, and an educational read for anyone who&#8217;s on a similar path. If you do not already know what a syslog is, I suggest you do some research. When you&#8217;re ready please come back.<\/p>\n","protected":false},"author":1,"featured_media":231,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"image","meta":{"_uag_custom_page_level_css":"","footnotes":""},"categories":[3,2,21],"tags":[22],"class_list":["post-229","post","type-post","status-publish","format-image","has-post-thumbnail","hentry","category-linux","category-server","category-software","tag-graylog","post_format-post-format-image"],"uagb_featured_image_src":{"full":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450.png",1691,505,false],"thumbnail":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450-150x150.png",150,150,true],"medium":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450-300x90.png",300,90,true],"medium_large":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450-768x229.png",768,229,true],"large":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450-1024x306.png",1024,306,true],"1536x1536":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450.png",1536,459,false],"2048x2048":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450.png",1691,505,false],"post-thumbnail":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450.png",1691,505,false],"modality-logo":["https:\/\/www.onebyte.org\/blog\/wp-content\/uploads\/2016\/11\/2016-11-18-17_22_26-graylog2.jpg-600\u00d7450-268x80.png",268,80,true]},"uagb_author_info":{"display_name":"Mr-Moo","author_link":"https:\/\/www.onebyte.org\/blog\/author\/ahess\/"},"uagb_comment_info":0,"uagb_excerpt":"The path to a great syslog! My first full-fledged syslog deployment should be interesting, and an educational read for anyone who's on a similar path. If you do not already know what a syslog is, I suggest you do some research. When you're ready please come back.","_links":{"self":[{"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/posts\/229","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/comments?post=229"}],"version-history":[{"count":2,"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/posts\/229\/revisions"}],"predecessor-version":[{"id":297,"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/posts\/229\/revisions\/297"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/media\/231"}],"wp:attachment":[{"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/media?parent=229"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/categories?post=229"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.onebyte.org\/blog\/wp-json\/wp\/v2\/tags?post=229"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}