Hey,
I configured logstash to get data from beats and syslog like here:
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash.crt"
ssl_key => "/etc/pki/tls/private/logstash.key"
}
tcp {
port => 5515
type => syslog
}
udp {
port => 5514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => "XXX.XXX.XXX.XXX:9200"
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
}
I can see, that the syslog messages and also the winlogbeat messages are arriving, but i cannot see them on Kibana.
If i make a tcpdump on my elastic server and generate syslog messages on the client, i can see that these messages are forwarded.
[root@lab-elastic-01 ~]# tcpdump host XXX.XXX.XXX.XXX
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:18:25.188968 ARP, Request who-has XXX.XXX.XXX.XXX tell 172.31.255.201, length 46
12:18:26.247534 IP XXX.XXX.XXX.XXX.38886 > lab-elastic-01.5514: UDP, length 109
12:18:26.255254 IP XXX.XXX.XXX.XXX.38886 > lab-elastic-01.5514: UDP, length 81
12:18:26.256603 IP XXX.XXX.XXX.XXX.38886 > lab-elastic-01.5514: UDP, length 80
12:18:26.258855 IP XXX.XXX.XXX.XXX.38886 > lab-elastic-01.5514: UDP, length 114
12:18:26.258963 IP XXX.XXX.XXX.XXX.38886 > lab-elastic-01.5514: UDP, length 83
I also can see the index in Kibana and see that the number of documents increases. But when im in the discover tab, there i cant see any of these logs/messages.
When i look into these indexes of syslog there is an Error appearing.
Are there problems in my configuration of syslog and winlogbeat?
Thanks for your time 