Adding syslog ports to filebeats filter

Id like to get logstash accepting syslogs on the default 514 ports both tcp and udp.

Im trying to follow this guide for the filters :
https://www.elastic.co/guide/en/logstash/6.7/logstash-config-for-filebeat-modules.html#parsing-system

But im not sure if i can use this syslog filter for both filebeats and native syslog?

If i can use it for both, is there a way to list more than one port so it can listen for all of them?
5044 and 514 tcp/udp?

Maybe just keep adding ports like this example?
https://www.elastic.co/guide/en/logstash/current/config-examples.html#_processing_syslog_messages

Thanks for the help.

You can listen on multiple ports by adding additional inputs. Each input will only listen on one port.

Should I be able to see it listening with netstat?

Yes.

Interesting.
I added:

input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}

And restarted logstash and then the server and i still do not see it listening on 514:

root@lxelk:~# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1651/nginx: master
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1021/systemd-resolv
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1568/sshd
tcp 0 0 127.0.0.1:5601 0.0.0.0:* LISTEN 1148/node
tcp6 0 0 ::1:9200 :::* LISTEN 1295/java
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 1295/java
tcp6 0 0 :::80 :::* LISTEN 1651/nginx: master
tcp6 0 0 :::5044 :::* LISTEN 1108/java
tcp6 0 0 ::1:9300 :::* LISTEN 1295/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 1295/java
tcp6 0 0 :::22 :::* LISTEN 1568/sshd
tcp6 0 0 127.0.0.1:9600 :::* LISTEN 1108/java
udp 0 0 127.0.0.53:53 0.0.0.0:* 1021/systemd-resolv

Looks like only kibana on 5601.
No firewall involved. ufw is disabled.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.