Finding data with logstash 7.13.4

I have my installation of the ELK stack up and running. All three aspects are running on separate servers but they all communicate and can talk to one another. I have not yet installed any Beats or Security on the installation, however I have forwarded port 514 to a new one so that the Syslogs that are being directed to my Logstash can be collected and seen. After running a tail on the logstash-plain.log I see that UDP Listener started { :address=>"", : receive_buffer_bytes=>"106496", :queue_size=>"2000"} .

This makes me secure in believing I have UDP syslogs being collected. Where would I see them on the Logstash server, using Terminal. There is no Desktop interface.

Thank you for any and all assistance.

What is your question?

Hello Badger;

I am trying to see what information, if any is being passed to the Logstash. After speaking to another person the information should be getting to Elasticsearch and of course from there to Kibana where I can run searches through DevTools.

I have followed the following:

and added the syslog/udp information into my logstash.conf file. Mostly it is working. Here is the error and my config file for review.

I just want to try and get the information to be seen in my Kibana at this point. before I move on to adding security to my systems.


Sample Logstash configuration for creating a simple

Beats -> Logstash -> Elasticsearch pipeline.

input {
beats {
port => 5044

input {
udp {
port => 5144
type => syslog

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

output {
Elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }

output {
Elasticsearch {
hosts => [""]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"

Any help you can provide is greatly appreciated.  

Thank you.

It is corrected. No more errors.

Just a few things for future topics @MKirby;

  • Please don't post pictures of text or code. They are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them
  • Please also format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

And if you've found a solution then it'd be good to share it in the thread, it might help someone in future.

My bad on the picture. Not something I do regularly, you can check other posts.

In the end the error was being displayed due to the positioning of my code. I had the output of the syslog placed above the output for the Beats. This was causing my troubles. When I moved the syscode output down below the Beats output it worked.

1 Like

No worries, and thanks for sharing that solution :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.