How to Forward Pi-Hole Log Messages and Events to Graylog

By

rsyslog can be used to forward Pi-hole’s log messages and events to Graylog. The imfile module of rsyslog allows you to convert any logs or other text messages into a syslog message format. By using the input module imfile with the output module omfwd, you can send the converted syslog messages from Pi-hole to Graylog.

On your Pi-hole server, create a file under /etc/rsyslog.d/ named 02-graylog.conf:

nano /etc/rsyslog.d/02-graylog.conf

Add the following to the file with the appropriate modifications for the IP address and port number of the target:

# Use the output module omfwd with action object to send logs to target server
action(type="omfwd" target="192.168.1.2" port="519" protocol="udp"
           action.resumeRetryCount="100"
           queue.type="LinkedList" queue.size="10000")

# Enable the input module imfile to process the text files and logs
module(load="imfile" PollingInterval="30" statefile.directory="/var/spool/rsyslog")

# Define the input files of the logs to send to the target server
input(type="imfile" File="/var/log/pihole.log"
         Tag="pihole"
         Severity="info"
         Facility="local0") # Optional - default is local0
input(type="imfile" File="/var/log/pihole-FTL.log"
         Tag="piFTL"
         Severity="info"
         Facility="local0") # Optional - default is local0

After you’ve entered the above code with your modifications, save the file and then restart rsyslog:

systemctl restart rsyslog

Your Pi-hole server is now sending the log messages to the target Graylog server. You will now need to setup an input in Graylog for UDP syslog messages from your Pi-hole server.


Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.