Logstash doesn't receive syslog

Elastic Stack Logstash
1

Hi,

I'm setting up Logstash to receive syslog, but it seems Logstash doesn't receive anything.

I can monitor Logstash in Elasticsearch, and I see I have no received/sent events :

image.png1625×103 9.22 KB

I'm running ELK on Docker.

Here is my Logstash config :

logstash:
     image: 684de72d85c6
     container_name: elk5_logstash
     ports:
       - 514:514/udp
       - 9600:9600
     environment:
       - node.name=logstash2
       - xpack.monitoring.elasticsearch.url=http://172.25.3.18:9200
       - xpack.monitoring.elasticsearch.username=elastic
       - xpack.monitoring.elasticsearch.password=changeme
       - path.logs=/var/log/logstash
       - log.level=debug
     volumes:
       - logstash-pipeline:/usr/share/logstash/pipeline
       - logstash-config:/usr/share/logstash/config
     restart: on-failure

volumes:
  logstash-config:
    external: true
  logstash-pipeline:
    external: true

Here is Logstash pipeline :

input {
  syslog {}
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["172.25.3.18:9200"]
  }
}

Am I missing something in my config?

Thanks in advance

Pippo

2

Does Logstash start up okay? Is it listening on the expected ports inside the container (i.e. can you send it messages via e.g. netcat)? Are those ports exposed outside the container (test with netcat)? Can Logstash connect to ES properly or is it screaming about problems related to that in the log? Be systematic and narrow the problem down.

3

Thanks for your answer.

Logstash starts up okay.

From outside the container :

I can't send it messages via netcat to 172.25.3.18:514

I did a Nmap on my server, and I can see that Port 514/UDP is open.

I added a rule to accept all traffic on port 514/UDP in iptables.

 iptables -A INPUT -p udp --dport 514 -j ACCEPT
 iptables -A OUTPUT -p udp --dport 514 -j ACCEPT

From inside the container :

I can't see any open port (Nmap returns that there are no open ports), and I can't send messages with netcat.

Logs :

I don't have any logs in /var/log/logstash.

Thanks

EDIT :

I just found out that only "root" can listen to ports below 1024, so I changed my config to port 5000/UDP, but still having trouble receiving syslog messages.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.