Forward logs from Kiwi to Elasticsearch

Elastic Stack Logstash
1

I would like to forward logs from Kiwi Syslog Server to Elasticsearch by Logstash.
After configuring both Kiwi log action and Logstash pipeline I see no log in ES side.

This is the Kiwi remote host forward rule:

Screen Shot 2020-09-06 at 19.26.27
Screen Shot 2020-09-06 at 19.26.271134×418 151 KB

This is a Logstash pipeline:

    input {
        udp {
            port => 514
            type => "syslog"
        }
    }
    filter {
    }
    output {
        if [type] == "syslog" {
            elasticsearch {
                hosts => ["https://xxx.eu-west-1.aws.found.io:9243"]
                user => "elastic"
                password => "xxx"
                index => "logs-endpoint-syslog-%{+YYYY.MM.dd}"
            }
        }
    }
2

What's in the Logstash logs?
Have you tried adding a stdout in the output to see if there's anything happening?

3

Where and how are you running Logstash?

If it is a Linux system, the port 514 could be already been used by a local rsyslog server, and even if it is not the case, this is a privileged port, logstash won't be able to bind to that port unless you are running it as root, which is not the case if you are running Logstash as a service.

4

I tried TCP 5000 and 9243 - the result is the same, no logs arrive.

5

Is it possible to debug it some way? What exactly the "stdout" parameter should look like?

6

You need to look into the logstash logs to see what is happening.

To use the stdout output you just need to add it in the output block.

output {
    stdout { }
}
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.