Adding a centralized logging server

Using the Goblin

Getting the Goblin

Download the desired binary:

•    Docker image: 

•    Linux binary:

•    Windows binary:

To import the docker image, run: docker load -i docker-goblin.tar.gz

On Linux, you will have to mark the file as executable: chmod +x goblin_server.

Running the server


1. Generate a new private key for the server, and save it to the default config file:
$ ./goblin_server keygen --save

2. Open this config file in a text editor. It’s located at “C:\Users\[username]\AppData\Roaming\atakama\server.cfg” on Windows, and “~/.config/atakama/server.cfg” on Linux.

3. Configure an output type. Here’s an example file:

        "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
        "output": {
            "json_file": "/tmp/goblin.log"

This will write all events in JSON lines format to /tmp/goblin.log.

Here’s an example for Logstash output, where <endpoint> is the endpoint you configured for your HTTP input plugin:

    "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
    "output": {
        "logstash_url": "https://<endpoint>"

And finally, for an RFC 3164-compatible syslog server:

    "privkey_pem": "-----BEGIN PRIVATE KEY-----...-----END PRIVATE KEY-----",
    "output": {
        "rfc3164_syslog_url": "https://<ip or hostname>[:port]"

Note that if unspecified, the port will default to 514.

4.    Get your server’s ID. This will be used when connecting an Atakama instance to the server.

$ ./goblin_server get-id



Save this value somewhere you will be able to reference it later.

5. Start the server:

$ ./goblin_server start

20201118-143434: INFO: __main__ - Loading config from '/home/user/.config/atakama/goblin/server.cfg'
20201118-143434: CRITICAL: __main__ - This server's device id is: 46e9ceacc26ca48ef8ee90d21b24b2f4
20201118-143434: INFO: __main__ - Starting server
20201118-143434: INFO: loggoblin.goblin - workstation relay connect: wss://
20201118-143435: INFO: loggoblin.goblin - Connected to relay server
20201118-143435: INFO: loggoblin.goblin - Goblin startup complete

To exit, just hit Ctrl-C and the server will shut down cleanly.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.