Filebeat syslog input : enable both TCP + UDP on port 514

webfr · April 18, 2020, 6:19pm

Hello guys,
I can't enable BOTH protocols on port 514 with settings below in filebeat.yml
Does this input only support one protocol at a time? Nothing is written if I enable both protocols, I also tried with different ports. Filebeat directly connects to ES.

# Syslog input
filebeat.inputs:
- type: syslog
  enabled: true
  max_message_size: 10KiB
  keep_null: true
  timeout: 10
  protocol.udp:
    host: "myhost.net:514"

filebeat.inputs:
- type: syslog
  enabled: true
  max_message_size: 10KiB
  timeout: 10
  keep_null: true
  protocol.tcp:
    host: "myhost.net:514"

Log:
2020-04-18T20:39:12.200+0200 INFO [syslog] syslog/input.go:155 Starting Syslog input {"protocol": "tcp"}
nothing in log regarding udp.

Thanks for your help.

shaunak · April 21, 2020, 10:05am

The problem might be that you have two filebeat.inputs: sections. How about something like the following instead?

# Syslog input
filebeat.inputs:
- type: syslog
  enabled: true
  max_message_size: 10KiB
  keep_null: true
  timeout: 10
  protocol.udp:
    host: "myhost.net:514"

- type: syslog
  enabled: true
  max_message_size: 10KiB
  timeout: 10
  keep_null: true
  protocol.tcp:
    host: "myhost.net:514"

webfr · April 21, 2020, 1:34pm

It works, thanks

2020-04-21T15:14:32.017+0200 INFO [syslog] syslog/input.go:155 Starting Syslog input {"protocol": "tcp"}
2020-04-21T15:14:32.018+0200 INFO [syslog] syslog/input.go:155 Starting Syslog input {"protocol": "udp"}

system · May 19, 2020, 1:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.