Welcome back! Today, I’ll be discussing one of my favorite homelab projects: Graylog.
Graylog is a free for personal use syslog aggregator. What does that mean? Well, we’ll start with syslogs. Syslogs are system log messages that various operating systems use to document what is happening with the system. This includes Linux syslog (/var/log/syslog) and Windows Event Logs for both server and home editions of Windows. These come in handy when troubleshooting issues or when you need to check specific time frames to see what a system was doing. But, this requires going into each system individually to read these; If there’s an issue affecting multiple systems, you’ll need to check out each system and correlate time frames to troubleshoot. Enter Graylog.
Graylog allows us a way to receive all syslogs from across a single or multiple networks. In the case of my homelab I run about 25 virtual machines of Windows and Linux varieties. Trying to nail down an issue across multiple servers can be a bit of a pain, but with Graylog I can see everything in one spot. But that’s just scratching the surface.
One of the most powerful functions of Graylog is the ability to set rules depending on messages it receives from your systems. Want to look out for DCHP releases to see if anything is talking on the network that shouldn’t be? Set up a rule for DHCP renewals to email you when something requests one. Want to know if someone escalates to Admin in Windows? Build a system event log to do just that. It’s incredible, really, that this software is free.
I’m currently running Graylog Enterprise as my daily intake of messages is well below the 2GB/Day maximum even with ~25 systems sending logs and doing routine maintenance across the systems (which can sometimes cause quite a lot of messages if it’s been a while before doing updates). The dashboard I run is a saved search for the past 12 hours and you can have it automatically refresh to keep an eye on it (I’m a huge sucker for dashboards):
Keeping this up also allows me to see if there’s anything sending a larger than normal amount of messages. I had a situation one time where my DNS server (PiHole) was being bombarded by a smart home device and I was able to see this from the dashboard and reboot the device to fix the issue.
So yeah, I dig it. Graylog is super neat, the searches are extremely fast even for large amounts of data and deploying it on Ubuntu only takes an afternoon’s worth of work for someone with limited Linux knowledge. It’s also neat that they allow some Enterprise features for the free version if you’re under a set limit of messages per day, allowing me to test this further on my Homelab before potentially using this for a real production environment. Overall: 9/10, would install and use again.
Thanks for reading! I hope you enjoyed my post and keep checking back for more information and projects. Cheers!