Logsstash filling up /var/log/syslog?

mathurin68 · November 18, 2017, 2:01pm

syslog in /var/log filling up with logstash?

Every event coming through logstash is filling up syslog -
ogstash[54646]: "type" => "wineventlog",
Nov 18 06:25:05 elkstack logstash[54646]: "opcode" => "Info",
Nov 18 06:25:05 elkstack logstash[54646]: "version" => 1,
Nov 18 06:25:05 elkstack logstash[54646]: "tags" => [
Nov 18 06:25:05 elkstack logstash[54646]: [0] "beats_input_codec_plain_applied"
Nov 18 06:25:05 elkstack logstash[54646]: ],

This is what I have in conf.d -
ack:/etc/logstash/conf.d# grep -r "syslog" .
./10-syslog-filter.conf: if [type] == "syslog" {
./10-syslog-filter.conf: match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
./10-syslog-filter.conf: syslog_pri { }
./10-syslog-filter.conf: match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]

Maybe this is normal, not sure...

warkolm · November 18, 2017, 10:13pm

Looks like you have a stdout output somewhere.

mathurin68 · November 20, 2017, 8:29pm

Thanks Mark!

Jason_Brooks · November 30, 2017, 9:14pm

Hello warkolm,

Does this mean that when daemonized and stdout is defined, that everything is written to syslog?

That's good to know.

--jason

warkolm · November 30, 2017, 9:19pm

Yes, because that is stdout when daemonised.

system · December 28, 2017, 9:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.