Logstash as syslog server - TCP is not working

Hello,
I am completely new to the ELK stack and I have just installed an ELK all-in-one machine for testing purposes. In our organization we want to send all syslog messages to logstash and then to ES.

I have the following configuration in /etc/logstash/conf.d/001-syslog.conf

input {
  tcp {
    port => 5514
    type => syslog
  }
  udp {
    port => 5514
    type => syslog
  }
}

# Apply some filters
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

## Send the message to Elasticsearch
output {
  elasticsearch { 
    hosts => ['http://localhost:9200']
    index => "syslog-%{+YYYY.MM.dd}"
    document_type => "system_logs"
  }
}

This is basically what we have from the "tutorials" in Elastic's site with some additions in the output.

On the client side I have this configuration in /etc/rsyslog.d/50-logstash.conf:

*.* @@logstash.example.com:5514

I have also configured 3 machines in my network to send syslog messages to the logstash server.

My problem at the moment is that when I send the logs via TCP logstash does nothing.
If I send the logs via UDP everything is fine!

There is no firewall problem since I allow traffic on both TCP and UDP. Also, the 4 machines are on the same network and thus they are not blocked.

TCPdump has no entries for TCP traffic neither on the logstash server nor the other machines.

Any ideas?

I will answer my own question then :slight_smile:

The issue was missing SELinux labels at the originating host. ELK was fine, but I had to modify the port type in order to send logs to logstash.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.