Getting data out of ELK and into Syslog

srowles · June 29, 2015, 12:22pm

Hi know this might sounds like a bit of a strange request, but I have an existing application that is designed to digest logs received via rsyslog.

It's a 3rd party provided app so I have no control over it and can't change how it gets it's logs to analyse.

Now I'm already sending all my logs to ELK, quite successfully, and I don't want to duplicate either the firewall holes or bandwidth required and send 2 copies of my logs everywhere, once via Logstash and then again via rsyslog.

So is there an easy way to get Logstash to send a configurable sub-set of the logs somewhere else via rsyslog?

I have full control over my ELK cluster, but the output has to be something that can be sent via rsyslog to this remote log processing system.

It's also worth noting that it needs to be a subset, I don't want to send all the data, just certain sub-sets of of the log data.

I tried searching but it's hard to find anything other than guides of how to get syslog data into ELK, which I'm already doing sucessfully

Thank you

magnusbaeck · June 29, 2015, 12:47pm

Logstash's syslog output should be able to do what you want. With conditionals you can choose which events you ship via the syslog protocol.

vassav · June 29, 2015, 12:50pm

https://www.elastic.co/guide/en/logstash/current/plugins-outputs-syslog.html ?

Logstash output { } can do parallel work like:

output {
  gelf {
   params
  } 

syslog
{
   params
  }
  elasticsearch {
   params
  }
  stdout { params }
}