Skip to content

Configuring rancher logging to output logs to Graylog server

Article Number: 000022100

Environment

SUSE Rancher

Procedure

Overview

This knowledge base article explains how to configure Rancher Logging to send Kubernetes cluster logs to a Graylog server using the GELF (Graylog Extended Log Format) protocol.

Rancher Logging uses Fluentd/Fluent Bit to collect pod logs and forward them to defined outputs. In this setup:

  • ClusterOutput/Output defines the destination (Graylog)
  • ClusterFlow/Flow defines which logs to collect and route to that output

Prerequisites

  • Rancher Logging chart installed
  • Graylog server reachable from your Kubernetes cluster

Step-by-Step Configuration

Step 1: Configure GELF Input on Graylog

  1. Log in to your Graylog Web UI.
  2. Go to System → Inputs.
  3. From the “Select input” dropdown, choose GELF UDP.
  4. Click Launch new input.

  5. Configure it:

  6. Bind address: 0.0.0.0

  7. Port: 12201
  8. Title: Kubernetes GELF Input
  9. Click Save to start the input.

If UDP doesn’t work in your environment, you can alternatively create a GELF TCP input, just ensure you adjust the protocol in your 

Kubernetes configuration accordingly.

Step 2: Deploy Logging Configuration

Sample configuration: Send Logs from Specific Namespaces

---
# ClusterOutput for Graylog
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterOutput
metadata:
  name: graylog-gelf
  namespace: cattle-logging-system
spec:
  gelf:
    host: 10.0.0.1            # Replace with your Graylog server address
    port: 12201
    protocol: udp
    compress: true
    buffer:
      timekey: 30s
      timekey_use_utc: true
      timekey_wait: 10s
      flush_interval: 5s
      flush_thread_count: 2
      retry_type: exponential_backoff
      retry_wait: 10s
      retry_max_interval: 300s
      overflow_action: block
---
# ClusterFlow for selected namespaces
apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterFlow
metadata:
  name: cluster-to-graylog
  namespace: cattle-logging-system
spec:
  globalOutputRefs:
    - graylog-gelf
  match:
    - select:
        namespaces:
          - default
          - production
          - staging

Step 3: Deploy a Test Pod

apiVersion: v1
kind: Pod
metadata:
  name: log-generator-test
  namespace: default
  labels:
    app: log-test
spec:
  containers:
  - name: logger
    image: busybox
    command: ["/bin/sh"]
    args:
      - -c
      - |
        counter=1
        while true; do
          echo "INFO: Test log message #$counter from Kubernetes pod - $(date)"
          echo "WARN: Warning message #$counter"
          echo "ERROR: Error message #$counter"
          counter=$((counter+1))
          sleep 10
        done
  restartPolicy: Always

Step 4: Verify Logs in Graylog

  1. Open the Graylog Web UI.
  2. Go to the Search tab.
  3. You should see logs from your Kubernetes cluster

If logs appear as expected, your setup is working.

Troubleshooting

If logs do not show up or you face issues:

  • Verify connectivity from your cluster nodes to the Graylog server and port 12201 (for UDP/TCP).
  • Check if firewall rules or network policies may block traffic.
  • Inspect the logs from the logging pods (Fluentd / Fluent Bit) — look for error messages.
  • Ensure your ClusterFlow selectors match the namespaces from which logs should be forwarded.
  • Confirm that the correct protocol (UDP or TCP) is configured on both Graylog input and ClusterOutput.

For detailed troubleshooting steps specific to Rancher Logging, you can refer to the SUSE support article:
How to troubleshoot Rancher Logging

Additional Resources