How do I see ingested syslog data?


#1

Hi,

I got Elastic configured last night and have Logstash listening on port 5000:

$ netstat -aptn |grep LIST |grep 5000
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 10743/java

I have rsyslog on a different forwarding its logs and using tcpdump, I can see those logs successfully coming in:

15:01:24.857193 IP (tos 0x0, ttl 64, id 8529, offset 0, flags [DF], proto TCP (6), length 288)
192.168.86.2.56978 > 192.168.86.10.5000: Flags [P.], cksum 0x94f0 (correct), seq 3126601903:3126602139, ack 493492715, win 229, options [nop,nop,TS val 197900065 ecr 454460565], length 236
0x0000: 4500 0120 2151 4000 4006 eb29 c0a8 5602 E...!Q@.@..)..V.
0x0010: c0a8 560a de92 1388 ba5c 28af 1d6a 19eb ..V......(..j..
0x0020: 8018 00e5 94f0 0000 0101 080a 0bcb b721 ...............!
0x0030: 1b16 8495 3c34 3e53 6570 2033 3020 3135 ....<4>Sep.30.15
0x0040: 3a30 313a 3234 2061 726e 6f6c 6420 6b65 :01:24.test.ke
0x0050: 726e 656c 3a20 5b31 3832 3032 302e 3637 rnel:.[182020.67
0x0060: 3339 3837 5d20 5b55 4657 2042 4c4f 434b 3987].[UFW.BLOCK
0x0070: 5d20 494e 3d62 7230 204f 5554 3d20 4d41 ].IN=br0.OUT=.MA
0x0080: 433d 3138 3a30 333a 3733 3a34 393a 3064 C=18:03:73:49:0d
0x0090: 3a35 323a 6238 3a33 653a 3539 3a37 383a :52:b8:3e:59:78:
0x00a0: 6130 3a30 363a 3038 3a30 3020 5352 433d a0:06:08:00.SRC=
0x00b0: 3139 322e 3136 382e 3836 2e31 3738 2044 192.168.86.178.D
0x00c0: 5354 3d31 3932 2e31 3638 2e38 362e 3220 ST=192.168.86.2.
0x00d0: 4c45 4e3d 3238 3420 544f 533d 3078 3030 LEN=284.TOS=0x00
0x00e0: 2050 5245 433d 3078 3030 2054 544c 3d36 .PREC=0x00.TTL=6
0x00f0: 3420 4944 3d30 2044 4620 5052 4f54 4f3d 4.ID=0.DF.PROTO=
0x0100: 5544 5020 5350 543d 3139 3030 2044 5054 UDP.SPT=1900.DPT
0x0110: 3d34 3636 3532 204c 454e 3d32 3634 200a =46652.LEN=264..

But I can't find this data anywhere in Kibana. If I go to add a syslog source, it's just for the local syslog server. What do I need to do to be able to see this data?

Thanks!


(Brandon Kobel) #2

Hey @meatwad, do you have Logstash configured to output the events into Elasticsearch using the Elasticsearch output plugin? Once you have Logstash writing data to Elasticsearch, you can then configure Kibana to display the data that is in those indices by creating an index pattern against the ES index.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.