Collect logs from two NIC cards on same server

bambam · November 7, 2017, 5:54pm

I have Kibana (Version 4.3.1) installed on Red Hat release 7.1 and it's working for the most part. I have two network cards on the computer and logstash is only collecting logs from one network card. The network cards are a /25 network so one network card is 192.168.1.0/25 and the other network card is 192.168.1.128/25. The network cards are also bridged to a virtual adapters with eth0 = br0 and eth1 = br1. What changes need to be made in order for logstash to collect logs from both network cards?

magnusbaeck · November 8, 2017, 6:27am

What does your configuration look like?

bambam · November 8, 2017, 5:14pm

I'm not an expert with the setup by any means so can you provide some direction on where I would find the exact configuration file?

magnusbaeck · November 9, 2017, 6:50am

The pipeline configuration files are typically found in /etc/logstash/conf.d.

bambam · November 9, 2017, 12:09pm

magnusbaeck · November 9, 2017, 1:34pm

Okay, so you're not explicitly binding to just one of the interfaces. That's good. What's the output of netstat -an | grep 3515? Have you tried using multiple tcp inputs that listen to the same port but on different interfaces (use the tcp input's host option).

Please don't post screenshots when you can use plain old copy/paste.

bambam · November 9, 2017, 2:18pm

tcp6 0 0 :::3515 :::* LISTEN
tcp6 0 192.168.1.70:3515 192.168.1.72:40005 ESTABLISHED

How do I configure logstash to listen to multiple tcp inputs on the same port?

Thank you for your assistance

magnusbaeck · November 9, 2017, 2:34pm

tcp6 0 0 :::3515 :::* LISTEN

This shows that Logstash is listening on all interfaces. Have you verified that it's impossible to reach Logstash from any of the networks?

How do I configure logstash to listen to multiple tcp inputs on the same port?

You currently have one tcp input. Make a copy of it but make sure both have unique host options containing the hosts's IP address for each network interface. But again, Logstash already listens on all interfaces so I don't think it'll make a difference.

bambam · November 9, 2017, 3:02pm

So would If I'm trying to collect syslog messages would I modify the logstash-syslog.conf to look like this?

input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
}
input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
# orig: match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }

  match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: (%{LOGLEVEL:Severity})?%{GREEDYDATA:syslog_message}" }
  add_field => [ "received_at", "%{@timestamp}" ]
  add_field => [ "received_from", "%{host}" ]
  add_field => [ "Hostname", "%{syslog_hostname}" ]
}
syslog_pri { }
date {
  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

}

magnusbaeck · November 9, 2017, 3:17pm

I repeat: Have you verified that it's impossible to reach Logstash from any of the networks?

bambam · November 9, 2017, 3:18pm

Yes, I can communicate with Lostash from both networks.

magnusbaeck · November 9, 2017, 4:17pm

Wasn't the problem that Logstash didn't receive data from one of the NICs? If you're able to connect to Logstash from both networks but not seeing anything in Logstash from one of the networks then I don't think it's a Logstash problem.

system · December 7, 2017, 4:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.