Hi guys! I absolutely love the ELK stack - please keep up the great work.
Background: We have an Ubuntu 16.04 rsyslog server collecting syslogs from various servers and network equipment. I've been tasked with trying to get ELK to present those logs (as well as Windows Events and application logs eventually). I installed Elasticsearch, Kibana, Logstash, and Filebeat on the syslog server.
At first I configured filebeat to read /var/log/syslog which contained all the logs received from any host. My /etc/filebeat/filebeat.yml had elasticsearch AND logstash as outputs, which I still don't understand (wouldn't you just want logstash as the destination for filebeat, and logstash in turn will send to elasticsearch which will be queried by kibana?? setup.kibana was also configured, further adding to my confusion. I'll ask for some clarification about all that in the appropriate sections.)
In any case that was working, but in kibana the beat.hostname was always that of the syslog/ELK server. The log sender is mentioned in the message itself, but that's not an indexed field and isn't very useful for when sifting through the info.
I finally came across the logstash-input-syslog plugin today and realized this should solve that issue - logstash will hopefully parse which host sent each message it receives. I stopped listening on 514/udp with rsyslog and added the following syslog-input.conf file to /etc/logstash/conf.d/
input {
syslog {
port => 514
type => “syslog_server”
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
}
... but now "netstat -npl" doesn't show it listening on 514 tcp or udp. "ps -ef" shows logstash running as the "logstash" user, so do I just need to set a sticky bit or something in order to allow that user to bind to port 514?
Thanks in advance for any help you can provide!
-static-