I do not receive the logs in Logstash (Heroku)

Elastic Stack Logstash
1

i have open the port 1514 (tcp) in my windows (localhost)
i wanna see the logs of Heroku in the Elasticsearch remote (gcp) but I do not receive any log

file .conf

input {

  tcp {

    port => "1514"

    tags => ["heroku_syslog"]

  }

}

filter {

grok {

    match => {

      "message" => "%{SYSLOG5424PRI:pri}%{NUMBER:rfc_version} %{TIMESTAMP_ISO8601:timestamp} d.%{UUID:drain_id} %{WORD:app} %{USERNAME:dyno} - - %{GREEDYDATA:message}"

    }

    overwrite => ["message"]

    remove_field => ["pri", "rfc_version", "dyno", "timestamp", "syslog5424_pri"]

  }

if [message] =~ "^\{.*\}[\s\S]*$" {

    json {

      source => "message"

    }

mutate {

      add_tag => ["json"]

    }

}

}

output {

  elasticsearch {

    hosts => "https://example.es.us-central1.gcp.cloud.es.io:9243"

    user => "user"

    password => "password"

    index => "logsinterconomy"

  }

}

the console logstash

"C:/logstash-8.1.0/config/heroku-elastic.conf"], :thread=>"#<Thread:0x43d9eae1 run>"}
[2022-03-16T16:11:21,326][INFO ][logstash.outputs.elasticsearch][main] Using a default mapping template {:es_version=>8, :ecs_compatibility=>:v8}
[2022-03-16T16:11:21,780][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.53}
[2022-03-16T16:11:21,878][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
[2022-03-16T16:11:21,885][INFO ][logstash.inputs.tcp      ][main][7d53e961286efb565aa8b20dfb9b25758492c51dcc966e0dd98d9af1908c7891] Starting tcp input listener {:address=>"0.0.0.0:1514", :ssl_enable=>false}
[2022-03-16T16:11:21,938][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}

file logstash (yaml)

api.enabled: true
api.http.host: 127.0.0.1
api.http.port: 9600

Heroku
heroku drains:add syslog://127.0.0.1:1514 -a myappName

2

The tcp input listens on 0.0.0.0. Can you confirm that that includes 127.0.0.1 for your TCP stack? I believe there are systems where it does not. You should be able to test using curl.

3

Sorry I'm not clear what to do, you say to do a curl 127.0.0.1:1514?

4

Yes do an HTTP "GET /" and see if you get Connection Refused. If you do then you know it is not listening. If it hangs waiting for the input to talk HTTP back to it then it is listening.

1 Like
5

Thank you Badger, I must necessarily use port 1514 for syslog ?
or can I use any other port?

6

You can change the input to listen on any port.

1 Like
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.