Finding data with logstash 7.13.4

MKirby · October 7, 2021, 1:16pm

I have my installation of the ELK stack up and running. All three aspects are running on separate servers but they all communicate and can talk to one another. I have not yet installed any Beats or Security on the installation, however I have forwarded port 514 to a new one so that the Syslogs that are being directed to my Logstash can be collected and seen. After running a tail on the logstash-plain.log I see that UDP Listener started { :address=>"0.0.0.0:50XX", : receive_buffer_bytes=>"106496", :queue_size=>"2000"} .

This makes me secure in believing I have UDP syslogs being collected. Where would I see them on the Logstash server, using Terminal. There is no Desktop interface.

Thank you for any and all assistance.

Badger · October 7, 2021, 3:58pm

What is your question?

MKirby · October 7, 2021, 4:18pm

Hello Badger;

I am trying to see what information, if any is being passed to the Logstash. After speaking to another person the information should be getting to Elasticsearch and of course from there to Kibana where I can run searches through DevTools.

I have followed the following:
https://www.elastic.co/guide/en/logstash/current/config-examples.html

and added the syslog/udp information into my logstash.conf file. Mostly it is working. Here is the error and my config file for review.

I just want to try and get the information to be seen in my Kibana at this point. before I move on to adding security to my systems.

``'

Sample Logstash configuration for creating a simple

Beats -> Logstash -> Elasticsearch pipeline.

input {
beats {
port => 5044
}
}

input {
udp {
port => 5144
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
}

output {
Elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
}

output {
Elasticsearch {
hosts => ["http://192.168.56.9:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
#user => "elastic"
#password => "changeme"
}
}

Any help you can provide is greatly appreciated.  

Thank you.

MKirby · October 7, 2021, 5:27pm

It is corrected. No more errors.

warkolm · October 10, 2021, 10:45pm

Just a few things for future topics @MKirby;

Please don't post pictures of text or code. They are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them
Please also format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you

And if you've found a solution then it'd be good to share it in the thread, it might help someone in future.

MKirby · October 12, 2021, 3:02pm

My bad on the picture. Not something I do regularly, you can check other posts.

In the end the error was being displayed due to the positioning of my code. I had the output of the syslog placed above the output for the Beats. This was causing my troubles. When I moved the syscode output down below the Beats output it worked.

warkolm · October 12, 2021, 8:44pm

No worries, and thanks for sharing that solution

system · November 9, 2021, 8:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.