Skip to content

Central syslog — Graylog (LXC 109)

Role: Central syslog for network gear — not SIEM. Host: prox LXC 109 (graylog, 192.168.6.197, graylog.lab.local) SIEM: Wazuh on managed Linux hosts.

Non-goals

  • Do not configure Graylog as primary security correlation (use Wazuh).
  • Do not forward full managed-Linux syslog to Graylog and run Wazuh agents collecting the same auth logs (duplication rule — see compute disposition review).

Revive checklist

  1. Export existing Graylog config from stopped LXC 109 (inputs, streams, extractors).
  2. Power on VMID 109 on prox; patch OS; verify Graylog service listens on 514/12201.
  3. Configure syslog inputs:
  4. UDM SE — Settings → System → Advanced → Remote Logging → Graylog IP:514 UDP/TCP
  5. UniFi switches/APs — per UniFi remote logging docs
  6. Optional: HAOS / Whrrr syslog (low priority).
  7. Verify: send test message; search in Graylog UI within 60s.

Inventory

Graylog is keep (status: active, role central-syslog). Not in compute decommission queue.