I configued the syslog.conf file to get the traffic to elasticsearch(installed in same server).
Syslog data traffic is coming as CEF format to logstash.
syslog.conf file as bellow:
input {
tcp {
port => 5514
type => "syslog"
codec => cef
}
}
filter {
}
output {
if [type] == "syslog" {
stdout { codec => rubydebug }
elasticsearch {
hosts => "localhost:9200"
user => "elastic"
password => "XXXXXXX"
http_compression => "true"
index => "syslog-%{+YYYY.MM.dd}"
}
}
}
Syslog data traffic is coming to elasticsearch.
But I got error - Failed to decode CEF payload. Generating failure event with payload in message field
I'm using ELK 7.10.1 version
That error is occuring here. I think it is telling you that there is no CEF version header in the message.
<22>Feb 24 20:54:53 KMG postfix/smtpd[14822]: disconnect from unknown[50.3.251.142]\n<20>Feb 24 20:54:53 KMG klms-smtp_proxy: Unexpected end of SMTP input: Bad file descriptor at void lms::filters::smtp_proxy::CopySmtpStream(std::istream&, std::ostream&, bool)\n"}
And indeed, that is a syslog message, but not CEF.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.