Logstash and syslog messages from Cisco UCS

Hello, I've configured our Cisco UCS / Fabric Interconnect device to send its syslogs to Logstash, and using tcpdump -n dst port 514 I can see that the devices are connecting to that port on the Logstash node. However, the index that I have configured for these messages does not appear to exist in Elasticsearch. I've posted the relevant sections of logstash.conf below:

input {

tcp {
    port => 514
    type => syslogucs
  }
   udp {
    port => 514
    type => syslogucs
  }

}

filter {

if [type] == "syslogucs" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
         }

     syslog_pri { }


     date {
                match => ["timestamp",
                        "MMM dd HH:mm:ss",
                        "MMM  d HH:mm:ss",
                        "MMM dd yyyy HH:mm:ss",
                        "MMM  d yyyy HH:mm:ss"
                ]
        }


}

output {

 if [type] == "syslogucs" {
   elasticsearch {
    hosts => ["192.168.56.226:9200", "192.168.52.251:9200", "192.168.52.252:9200"]
    index => ["syslogucs-%{+YYYY.MM}"]
   }

  }

}

If I go into Kibana is says it can't find the index pattern of "syslogucs-*" - can anyone help?

Thanks.

I've just taken a look in the /var/log/logstash/logstash-plain.log file and it show the following message repeatedly:

[2017-05-05T14:18:25,111][INFO ][logstash.inputs.udp      ] Starting UDP listener {:address=>"0.0.0.0:514"}
[2017-05-05T14:18:25,111][WARN ][logstash.inputs.udp      ] UDP listener died {:exception=>#<SocketError: bind: name or service not known>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:160:in `bind'", "/usr/local/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-3.1.0/lib/logstash/inputs/udp.rb:82:in `udp_listener'", "/usr/local/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-udp-3.1.0/lib/logstash/inputs/udp.rb:56:in `run'", "/usr/local/logstash/logstash-core/lib/logstash/pipeline.rb:425:in `inputworker'", "/usr/local/logstash/logstash-core/lib/logstash/pipeline.rb:419:in `start_input'"]}

I realised the inbuilt syslog daemon was listening on 514 and have now disabled it; I no longer see those messages in the Logstash log. I still can't see the index pattern but will keep checking and update this post.

Problem fixed, I can now see the index so it was the inbuilt syslog daemon interfering with Logstash listening on port 514 :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.