Hello,
I am completely new to the ELK stack and I have just installed an ELK all-in-one machine for testing purposes. In our organization we want to send all syslog messages to logstash and then to ES.
I have the following configuration in /etc/logstash/conf.d/001-syslog.conf
input {
tcp {
port => 5514
type => syslog
}
udp {
port => 5514
type => syslog
}
}
# Apply some filters
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
## Send the message to Elasticsearch
output {
elasticsearch {
hosts => ['http://localhost:9200']
index => "syslog-%{+YYYY.MM.dd}"
document_type => "system_logs"
}
}
This is basically what we have from the "tutorials" in Elastic's site with some additions in the output.
On the client side I have this configuration in /etc/rsyslog.d/50-logstash.conf:
*.* @@logstash.example.com:5514
I have also configured 3 machines in my network to send syslog messages to the logstash server.
My problem at the moment is that when I send the logs via TCP logstash does nothing.
If I send the logs via UDP everything is fine!
There is no firewall problem since I allow traffic on both TCP and UDP. Also, the 4 machines are on the same network and thus they are not blocked.
TCPdump has no entries for TCP traffic neither on the logstash server nor the other machines.
Any ideas?