Filebeat Syslog isn't Opening Port

odin-bb · May 4, 2021, 11:32pm

Good Afternoon,

First off, thank you for whatever help/suggestions you provide.

I recently posted in the r/elasticsearch trying to understand the difference between logstash and filebeat and was greatly helped by someone on the team. However, as all things do, it spiraled into him helping me troubleshoot and that isn't what he needs to do. So he pointed me here.

I am attempting to setup a local filebeat that acts like a syslog receiver following the instructions here Syslog input | Filebeat Reference [7.12] | Elastic and Configure the output | Filebeat Reference [7.12] | Elastic.

When I add those configurations to my filebeat.yml I see the local syslog traffic in Elastic, but I am not seeing port 9000 (I also tried 514, but that didn't matter really) open to recieve syslog log from other systems. Is my understanding of that wrong? Or did I mess up somewhere?

Here is my filebeat.yml configs.

 - type: syslog
   protocol.udp:
   host: "localhost:9000"
 
 # Change to true to enable this input configuration.
 enabled: false
   # Paths that should be crawled and fetched. Glob based paths.
         paths:
      - /var/log/*.log
 output.elasticsearch:
  # Array of hosts to connect to.
   hosts: ["localhost:9200"]
   username: "[redacted]"
   password: "[Redacted]"

Again thank you for the help.

legoguy1000 · May 5, 2021, 2:55am

So it looks like you have input settings for both the syslog and file input as part of the same input.

Remove the paths key and path or move it to it's own input. Indent the enabled key to line up with the host key and change to true if u want to use it. Also if u want to listen outside of localhost, change that to 0.0.0.0:9000 to listen on all ips.

odin-bb · May 5, 2021, 11:15pm

First off thank you!

Let me see if I get this right.

- type: syslog
   protocol.udp:
   host: "0.0.0.0:9000"
 
 # Change to true to enable this input configuration.
    enabled: true
 - type: log
       # Paths that should be crawled and fetched. Glob based paths.
    paths:
          - /var/log/*.log
 output.elasticsearch:
  # Array of hosts to connect to.
   hosts: ["localhost:9200"]
   username: "[redacted]"
   password: "[Redacted]"

Is that correct?

legoguy1000 · May 5, 2021, 11:38pm

Conceptually yes. U still have some uneven indentation that u need to fix. Also if your not actually going to read log files from the system I would comment out those lines.

odin-bb · May 5, 2021, 11:59pm

So this is what it should look like?

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

- type: syslog
  protocol.udp:
   host: "0.0.0.0:9000"

  # Change to true to enable this input configuration.
  enabled: true

I took out the local path for now just trying to get the rest of the syslog working.

system · June 3, 2021, 1:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.