I configure rsyslog for my linux server now I want to send logs to LOGSTASH. How could I achieve that

Below is my rsyslog conf. My audit logs are generating in syslogs only.
1658253362474

Hello,

Please do not share screenshots of logs or configurations, share the logs or configurations as plain text using the Preformatted text option, the </> button, screenshots can be pretty hard to read, which is this case.

# /etc/rsyslog.conf configuration file for rsyslog
#
# For more information install rsyslog-doc and see
# /usr/share/doc/rsyslog-doc/html/configuration/index.html
#
# Default logging rules can be found in /etc/rsyslog.d/50-default.conf


#################
#### MODULES ####
#################

module(load="imuxsock") # provides support for local system logging
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

# provides kernel logging support and enable non-kernel klog messages
module(load="imklog" permitnonkernelfacility="on")

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog

#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog
#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf
$template remote-incoming-logs,"/var/log/%HOSTNAME%/%PROGRAMNAME%.log"
*.* ?remote-incoming-logs
& ~

#Send logs to syslog server
$PreserveFQDN on
*.* @127.0.0.1:514
$ActionQueueFileName queue
$ActionQueueMaxDiskSpace 1g
$ActionQueueSaveOnShutdown on
$ActionQueueType LinkedList
$ActionResumeRetryCount -1

This is my conf. on AWS EC2 Linux and my Logstash is on Windows system is there is any way I can send logs to Logstash using SYSLOG input plugin.

I tried with this below configuration but did not work for me:

input {
    syslog {
        port => 514
        type => "syslog"
    }
}

What is not working? You need to share some Logstash logs.

Also, Rsyslog configuration is out of the scope of this forum, but are you sure that your configuration is correct?

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")

It seems that you configured Rsyslog to listen on port 514 on both tcp and udp.

And this line seems that you configured your rsyslog to redirect all logs to 127.0.0.1 on port 514 using UDP.

*.* @127.0.0.1:514

And your Logstash configuration is also not correct for two reason, the first is that if you run Logstash as a service it runs under the logstash user, which is not allowed to bind on ports below 1024, you also should avoid running Logstash as the root user so you need to change this port from 514 to something higher, like 5114, the second reason is that it seems that both your rsyslog and logstash are on the same machine, and it is not possible to use the same ports for two different services.

You are already using port 514 on your rsyslog, even if Logstash was able to bind to port 514 it would not work because the ports were already in use.

input {
    syslog {
        port => 514
        type => "syslog"
    }
}

Change the logstash port to something like 5114 and change your rsyslog to redirect the logs to this port.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.