Forward logs from Kiwi to Elasticsearch

I would like to forward logs from Kiwi Syslog Server to Elasticsearch by Logstash.
After configuring both Kiwi log action and Logstash pipeline I see no log in ES side.

This is the Kiwi remote host forward rule:

This is a Logstash pipeline:

    input {
        udp {
            port => 514
            type => "syslog"
        }
    }
    filter {
    }
    output {
        if [type] == "syslog" {
            elasticsearch {
                hosts => ["https://xxx.eu-west-1.aws.found.io:9243"]
                user => "elastic"
                password => "xxx"
                index => "logs-endpoint-syslog-%{+YYYY.MM.dd}"
            }
        }
    }

What's in the Logstash logs?
Have you tried adding a stdout in the output to see if there's anything happening?

Where and how are you running Logstash?

If it is a Linux system, the port 514 could be already been used by a local rsyslog server, and even if it is not the case, this is a privileged port, logstash won't be able to bind to that port unless you are running it as root, which is not the case if you are running Logstash as a service.

I tried TCP 5000 and 9243 - the result is the same, no logs arrive.

Is it possible to debug it some way? What exactly the "stdout" parameter should look like?

You need to look into the logstash logs to see what is happening.

To use the stdout output you just need to add it in the output block.

output {
    stdout { }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.