Didnt get the output of cisco router syslog in logstash server


(Shamim Reza) #1

OS is CentOS 7..
Packages: logstash-2.2.4-1, elasticsearch-2.3.5-1, kibana-4.4.2-1

Logstash configuration is bellow:

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
udp {
port => 514
type => "syslog"
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

Cisco router has been configured accordingly and server got the hit on 514/udp port but there is no log of it in logstash output....

whats the mistake i have made or what would be the configuration for it !! any help !!

thanks in advance..


(Mark Walkom) #2

Start simple, does it how anything with an input and then direct to stdout?


(Magnus B├Ąck) #3

Unless run as root or if you use one of the workarounds, Logstash won't be able to listen to the privileged 514 port. Are you sure Logstash starts up properly with the configuration above?


(Shamim Reza) #4

logstash is not running as root :slight_smile: and yes its starting properly. I have Four CentOS machine configured with filebeats and all the logs is being imported nicely and showing on to my KIbana dash board.

Now i have found something into my logstash log,

{:timestamp=>"2016-08-22T11:56:16.685000+0600", :message=>"UDP listener died", :exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:inbind'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-2.0.5/lib/logstash/inputs/udp.rb:67:in udp_listener'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-2.0.5/lib/logstash/inputs/udp.rb:50:inrun'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:334:in inputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.4-java/lib/logstash/pipeline.rb:328:instart_input'"], :level=>:warn}`

syslog plugin for logstash input has already been installed.


(Shamim Reza) #5

I have changed the port from 514/udp to 9995/udp and reload the logstash service from the server and also reconfigured the router to send syslog with the respective port.
Now the error "UDP listener died" isnt showing but there is no log of router. :frowning:


(Maile Halatuituia) #6

were you be able to fic this issue


(system) #7