Help needed with Logstash and syslog config

janus · June 12, 2015, 8:36am

Hello all,

First of all I have to say that I am new to ELK, in fact I have just installed it in the system.

Let me go to the point.

I have followed the oceand digital manual to install elk in a brand new debian system (https://www.digitalocean.com/community/tutorials/how-to-install-elasticsearch-logstash-and-kibana-4-on-ubuntu-14-04) with a few modifications (basically using the latest versions and without ssl support)

Once configured, I have done three tests using this config files:
https://www.elastic.co/guide/en/logstash/master/config-examples.html

The first two tests run perfectly but when I get to the syslog one, no way.

This is my config file:


input {
  udp {
    port => 5000
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

And this is a snaptshot of the syslog data transfer

As it can be seen, logstash runs fine, no warnings,the system starts listening on port 5000(udp) but when i connect to the system using nc and sending the data, the data arrives but logstash does nothing

I have been looking in the logsthash logs but found nothing.

Any help will be appreciated.

Thanks a lot for your time,

yuphing · June 12, 2015, 9:04am

my match for pfsense syslogs looks like this (note the square brackets):

match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp}: %{WORD:syslog_severity} %{SYSLOGHOST:syslog_hostname} %{SYSLOGPROG:syslog_program}:%{SPACE} %{GREEDYDATA:syslog_message}" ]

janus · June 12, 2015, 9:31am

Thanks for the update yuphing.

I have done the change but it does not work.

I have loaded the modified config file, logstash runs fine, at least it does not give any erri, I send the info, the system gets it but logstash does nothing.

magnusbaeck · June 12, 2015, 10:07am

You have a udp input and a couple of filters, but where are your outputs? For debugging this is a common recommendation:

output {
  stdout {
    codec => rubydebug
  }
}

yuphing · June 12, 2015, 10:17am

magnusbaeck is right, I usually have something like this too for output:

output {
        if !("_grokparsefailure" in [tags]) {
                elasticsearch {
                        host => "localhost"
                        cluster => "elasticsearch_cluster"
                        index => "logstash-%{type}-%{+YYYY.MM.dd}"
                }
        } else {
                file {
                        path => "/var/log/logstash/debug-%{type}.out"
                }
        }
}

janus · June 12, 2015, 10:32am

Yeap, you are totally right, no ouptut. Have to say it, Im idiot xD, dont know how to copy and paste.

Thanks a lot guys, problem solved

Sorry for the inconvenience

Topic		Replies	Views
Syslog configuration output Logstash	2	583	July 6, 2017
Logstash as syslog server - TCP is not working Logstash	2	1843	February 28, 2020
Config Logstash for Syslog Logstash	5	1328	April 4, 2017
Parsing syslog from linux rsyslog Logstash	25	7947	July 6, 2017
Finding data with logstash 7.13.4 Logstash	7	350	November 9, 2021

Help needed with Logstash and syslog config

Related topics