Hi all,
I need to create a solution that amends syslogs to be RFC3164 compliant and ultimately send them on to a QRADAR at a customer's site.
To test this I have created two linux VMs both of which can ping each other etc. I'm using filebeat with Logstash on both and they each have the logstash user created and are a member of the logstash group.
The Sender server [192.168.1.2] grabs a log file which has aggregated logs from switches and servers and should send them on to the receiver [192.168.1.3].
My Sender server Filebeat config:
filebeat.inputs:
- type: filestream
id: filestream-id
paths:
- /tmp/logserverlog/logfilelogac.log
output.logstash:
hosts: ["192.168.1.2:5044"]
My Sender server logstash pipeline config:
input {
beats {
port => "5044"
type => "syslog"
ssl => false
}
}
output {
syslog {
host => "192.168.1.3"
port => 5044
protocol => "tcp"
rfc => "rfc3164"
}
}
My Receiver server's Filebeat [192.168.1.3] config:
filebeat.inputs:
- type: syslog
format: rfc3164
protocol.tcp:
host: "192.168.1.2:5044"
#- type: tcp
# format: rfc3164
# log_errors: true
# add_error_key: true
# max_message_size: 90MiB
# host: "192.168.1.2:5044"
output.logstash:
hosts: ["localhost:5045"]
My Reciever server's logstash pipeline:
input {
beats {
port => "5045"
type => "syslog"
ssl => false
}
}
output {
file {
path => "/tmp/testfile.log"
}
}
I am getting this ECONNREFUSED: Connection Refused error and was wondering if you could offer some advice on what I am missing please:
[2022-09-01T08:32:42,596][WARN ][logstash.outputs.syslog ][main][f8c5578f97a0c19fc8375501f2f65281904c8955e4c362fdcc98018a7cd3059d] syslog tcp output exception: closing, reconnecting and resending event {:host=>"192.168.1.3", :port=>5044, :exception=>#**<Errno::ECONNREFUSED: Connection refused - connect(2) for "192.168.1.3" port 5044>**, :backtrace=>["org/jruby/ext/socket/RubyTCPSocket.java:134:in `initialize'", "org/jruby/RubyIO.java:876:in `new'", "/usr/share/logstash/vendor/local_gems/54adea01/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:209:in `connect'", "/usr/share/logstash/vendor/local_gems/54adea01/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:177:in `publish'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-plain-3.1.0/lib/logstash/codecs/plain.rb:59:in `encode'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:48:in `block in encode'", "org/logstash/instrument/metrics/AbstractSimpleMetricExt.java:65:in `time'", "org/logstash/instrument/metrics/AbstractNamespacedMetricExt.java:64:in `time'", "/usr/share/logstash/logstash-core/lib/logstash/codecs/delegator.rb:47:in `encode'", "/usr/share/logstash/vendor/local_gems/54adea01/logstash-output-syslog-3.0.5/lib/logstash/outputs/syslog.rb:147:in `receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in `block in multi_receive'", "org/jruby/RubyArray.java:1821:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:105:in `multi_receive'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:143:in `multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:121:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:300:in `block in start_workers'"], :event=>#<LogStash::Event:0x1195d12d>}