Pipelines not working about pihole HOT 7 CLOSED

@bionicfish
OK I figured it out!! Obviously the ip will need to be changed!:

. @111.111.111.111:1515;RSYSLOG_SyslogProtocol23Format
module(load="imfile" PollingInterval="10")

input(type="imfile"
File="/var/log/pihole.log"
StateFile="/var/run/pihole.log.state"
Tag="pihole"
Severity="info"
Facility="local7")

from pihole.

I haven't been ignoring this. I am in the process of rebuilding and re-deploying my defensive systems. I did a basic forward of the pihole logs, i didn't tag or specify specific log levels to sent i just forwarded all entries.

Also the contentpack is set to establish the graylog input on 1515, if you accounted for that then see the questions below.

Are the logs making it to the graylog?
Have you tested a syslog entry against the main grok patterns?
Have you evaluated the pipeline, using the built-in simulation graylog gives to see how the log will be processed?

I will have an updated version released by the end of the year with clearer instructions and a better readme breakdown, as i get my new systems established.

from pihole.

Yeah I am having the same problem the logs are making it to graylog but i cant help but wonder if its the way I send them to graylog I am merely running this in syslog:
. 192.168.1.6:1515

Is there a better way to send the logs into graylog?

from pihole.

I just took a look at the extractor and its not matching anything. It seems none of the query logs have pihole in the message. So I think it definitely must be the way I am sending it to graylog.

from pihole.

Hi,

I'm facing the same issues as @bionicfish, with his same config. Rsyslog is sending the data to graylog:

But "show received messages" remains empty:

I tried using @Spyd3r0TW 's config but then I get this error and rsyslog doesn't send anything:

Mar 22 18:03:35 pihole rsyslogd[904026]: invalid character in selector line - ';template' expected [v8.2001.0] Mar 22 18:03:35 pihole systemd[1]: Started System Logging Service. Mar 22 18:03:35 pihole rsyslogd[904026]: error during parsing file /etc/rsyslog.d/graylog.conf, on or before line 1: errors occured in file '/etc/rsyslog.d/graylog.conf' around line 1 [v8.2001.0 try https://www.rsyslog.com/e/2207 ]
tcpdump output is empty:

root@graylog:/var/log/graylog-server# tcpdump port 1515 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes

from pihole.

It's ok, figured it out:

`*.* @1.2.3.4:1515;RSYSLOG_SyslogProtocol23Format

module(load="imfile" PollingInterval="10")

input(type="imfile"
File="/var/log/pihole.log"
StateFile="/var/run/pihole.log.state"
Tag="pihole"
Severity="info"
Facility="local7")`

Spyd3r0TW's code was missing the *

from pihole.

I added some additional info to the readme guys, i am taking a break from graylog and using ELK. if you feel the grok patterns can be improved feel free to submit pull requests I am restructuring some internal content and documentation, and will have further content released in general related to log analysis, security, hosting and at home cloud/lab environments. As a side not I added the config for using syslog-ng which is way easier and retains the integrity of the logs. you'll have to validate the the current grok accounts for that.

from pihole.