Really good question. I’m experiencing the same thing but have not found a solution so far. Please share if you find a solution.
@LTS_Tom, thanks for a great video and taking the time to share.
I have a question regarding your extractor.
"condition_value": "^.*filterlog:(.*),(in|out),4,.*,udp,.*$"
I have tried your extractor but can’t get i to work. My logs has the format “filterlog[34521]:”, but your extractor doesn’t accomendate the hard brackets and ID ([34521]). And looking closer at your Youtube video it seems like you use the following regex filterlog\[.....\]:(.*)$.
Is this just because the extractor on github is not updated or am I doing something wrong?
Again, thanks for a great video.
The new pfsense updated the log format so you also need to update the extractor to match.
1 Like
Is there any simple instruction on how to send logs from TrueNAS to Graylog?
Create an input in Graylog to ingest Syslog messages then put in Graylog as the destination in the TrueNAS for a Syslog server.
@transonic14 - I found a solution. I posted the solution on XCP-NG forum: How to disable debug log to syslog server? | XCP-ng and XO forum
I hope it helps.
I don’t see an option in unifi in new UI. Any idea where is it?
Click the bottom far left gear icon, go to “System” then scroll down to “System Logging”
It looks like the ova’s have been removed, and for the life of me I cannot get the graylog or anyone else’s install instructions to work. Mongodb won’t install (package doesn’t exist) and some of their instructions just hang. It seems that the graylog-provided install instructions are lacking several steps, and it way beyond my abilities to work out what they might be! I’m trying to install on a virgin Ubuntu 22.04 VM with 4 cores, 4Gb RAM and 100Gb disk.
Make sure you are following their version 5 instructions.
https://go2docs.graylog.org/5-0/downloading_and_installing_graylog/installing_graylog.html
I just went through this on Ubuntu 22.04 last night and had quite the fight trying to get Mongo installed. I ended up running it on Debian 11 and running version 4.0 instead. I’ll fight with it another day and see if I can make 5.0 go with Opensearch.
One thing to make sure if you’re copying the commands and you’re logged in as root - if you lop the sudo off at the start of the line and there is a | (likely to tee) - make sure you remove the sudo after the |. I think that was part of what was getting me.
I had a hell of a time getting Graylog installed on Ubuntu 22.04.
The key, it turns out, is that their documentation is wrong. It is not compatible with OpenSearch 2.x. You need to use 1.3.4.
Good to know. I bet that’s why I was having so many issues!
Graylog or Ubuntu is not compatible with OpenSearch 2.x?
I assume graylog. I’m using version 5.0 from their repo but when using opensearch versions above 2.0 it refuses to start.
If I remember correctly it was giving me an error like it was looking for elasticsearch even with opensearch installed.
Elasticsearch has deprecated deb https://artifacts.elastic.co/packages/oss-7.10.2/apt stable main so you have to install it manually 
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.2-amd64.deb
wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.10.2-amd64.deb.sha512
# Following compares the SHA of the downloaded Debian package and the published checksum, which should output elasticsearch-{version}-amd64.deb: OK.
shasum -a 512 -c elasticsearch-7.10.2-amd64.deb.sha512
sudo dpkg -i elasticsearch-7.10.2-amd64.deb
If installing on Proxmox VM, set the Processor Type to host. The default kvm64 won’t work with MondoDB (which needs AVX).
Thought I had the same problem. Turns out that my TrueNAS couldn’t resolve the short hostname of my graylog server. I used the FQDN of my graylog server and it started working. Verify you can ping your graylog server from TrueNAS using the hostname you supplied to TrueNAS for syslog.