Has anyone used ELK to setup a log server for an Dell Powerconnect stack? I'm at a loss for what to do next. I used this article to set up the server and have the filter (I believe) set up for the logs, however not sure where the problem is. I am thinking its with the input setup (which I changed to UDP) but not entirely sure from here.
We need more details. Is the device logging via syslog? To UDP port 514 on the Logstash box? Have you verified that it's actually sending messages, e.g. via packet tracing? Is Logstash listening on port 514 (which would require you to run Logstash as root or employ a workaround)? What's your Logstash configuration?
Sorry about the lack of information. This job has been a baptism by fire. The switches log via syslog, and I am using UDP port 514. I have not verified that it is sending yet, since I have been troubleshooting a few other issues so far.
Currently, the error I am receiving is UDP listener died. I have tried to change permissions using chmod.
Netstat -unl output:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
udp 0 0 0.0.0.0:41483 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:48254 0.0.0.0:*
udp6 0 0 :::41483 :::*
udp6 0 0 :::54328 :::*
udp6 0 0 :::46232 :::*Currently, the error I am receiving is UDP listener died.
Full error message please. Unless you've actively reconfigured Logstash to run as root that's almost certainly the problem.
{
:timestamp=>"2015-10-01T09:49:10.865000-0400",
:message=>"UDP listener died", :exception=>#<SocketError: bind: name or service not known>,
:backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'",
"/opt/logstash/lib/logstash/inputs/udp.rb:69:in `udp_listener'", "/opt/logstash/lib/logstash/inputs/udp.rb:50:in `run'",
"/opt/logstash/lib/logstash/pipeline.rb:163:in `inputworker'",
"/opt/logstash/lib/logstash/pipeline.rb:157:in `start_input'"], :level=>:warn
}Okay. Not the error message I expected, but again, without active reconfiguration Logstash will not listen on port 514. Running Logstash as root isn't really recommended so if you can change the switch to send to another port that would make things easier.
I have currently reconfigured both to use port 8484 (From what I can tell that should be fine). And I am still receiving the above error.
udp6 0 0 :::8484 :::*
Has been added to the netstat output. Seem to be getting closer to solving the issue.
Just as an update. I decided (on a whim) to change the input to
udp{
host => (the host the switches are set to send to)
port => 8484
}
I am actually receiving the logs, however still getting the above error.
Ok final update, I finally figured out that in my initial configuration I set up logstash to use a port that was going unused and I believe it didn't have permission to use. So after eliminating that file no more errors are being thrown. Basically, I just needed to clean up some of the config files.
Did you find that the Dell's syslog output was non-conformant? I just started playing with an N3000 series switch sending syslog to logstash, and found the default patterns failing do to an additional space after the initial value
I had a few issues getting the filter right. My best advice is to use one of the grok filter websites to set it up.