I've been fighting this the last couple days and well, I give up and need help. So I have an ELK stack docker setup and I'm simply trying to setup logstash to accept syslog directly to it. I pictured random port 5514 and but the following in docker-elk/logstash/config/logstash.yml (which is reference as a volume in the composer file). Any way, no matter what I seem to put in the yml file, I get an error stating
error: yaml: line X: could not find expected ':'
I've tried the following:
> ---
> http.host: "192.168.1.227"
> input {
> udp {
> host => "localhost"
> port => 5514
> codec => "json"
> type => "rsyslog"
> }
> }
>
> filter { }
>
> output {
> if [type] == "rsyslog" {
> elasticsearch {
> hosts => [ "localhost:9200" ]
> }
> }
> }
---
http.host: "192.168.1.227"
input {
tcp {
port => 5514
type => syslog
}
udp {
port => 5514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
---
http.host: "192.168.1.227"
input {
tcp {
port => 5514
type => syslog
}
}
Any suggestions would be greatly appreciated.