This article explains how to set up Fluentd with Graylog. Graylog is a popular log management server powered by Elasticsearch and MongoDB. You can combine Fluentd and Graylog to create a scalable log analytics pipeline.
- Basic Understanding of Fluentd
- Linux Server (Ubuntu 24.04 LTS is not supported yet. Use 20.04 or 22.04)
- Fluentd
- MongoDB Community Server, Use 7.0.
- Graylog, Use 6.1.
You can install Fluentd via major packaging systems.
You can install MongoDB via major packaging systems.
{% hint style='warning' %} Use MongoDB 7.x because Graylog 6.1 does not support MongoDB 8.x. {% endhint %}
You can install Graylog Data Node and Server on Ubuntu.
Go to http://localhost:9000 and log into the web interface.
To log in, use admin as the username and YOUR_PASSWORD as the password (the one you have set up for root_password_sha2).
Once logged in, click on System in the top nav. Next, click on Inputs from the left navigation bar. (Or, simply go to http://localhost:9000/system/inputs.
Then, from the dropdown, choose GELF UDP and click on Launch new input, which should pop up a modal dialogue, Select the Node and fill the Title. Then, click Save.
Now, Graylog is ready to accept messages from Fluentd over UDP. It is time to configure Fluentd.
{% hint style='info' %}
There might be a case that modal dialogue will not shown when clicking Launch new input. Check your browser configuration.
{% endhint %}
You can install Fluentd via major packaging systems.
If out_gelf (fluent-plugin-gelf-hs) is not installed yet, please install it manually.
See Plugin Management section how to install fluent-plugin-gelf-hs on your environment.
Then, configure /etc/fluent/fluentd.conf as follows:
<source>
@type syslog
tag graylog
</source>
<match graylog.**>
@type gelf
host 127.0.0.1
port 12201
<buffer>
flush_interval 5s
</buffer>
</match>
Create /etc/rsyslog.d/90-fluentd.conf and add the following line to the file:
*.* @127.0.0.1:5140
Finally, restart rsyslog and Fluentd with the following commands:
$ sudo systemctl restart rsyslog
$ sudo systemctl restart fluentd
When you log back into Graylog, you should be seeing a graph like this (wait for events to flow in):
If this article is incorrect or outdated, or omits critical information, please let us know. Fluentd is an open-source project under Cloud Native Computing Foundation (CNCF). All components are available under the Apache 2 License.