Environment:
- 50 CentOS 7.6 servers
- 192.168.1.145 - Elastic Search master server
- 192.168.1.146 - Elastic Search master server
- 192.168.1.147 - Elastic Search master server
- 192.168.1.148 - Elastic Search data server
- 192.168.1.149 - Elastic Search data server
- 192.168.1.150 - Logstash and rsyslog server
- 192.168.1.151 - Kibana server
I was following this blog posting:
I followed all the steps and all my servers are logging to the rsyslog server so that's working.
Per the blog, I have:
# This input block will listen on port 10514 for logs to come in.
# host should be an IP on the Logstash server.
# codec => "json" indicates that we expect the lines we're receiving to be in JSON format
# type => "rsyslog" is an optional identifier to help identify messaging streams in the pipeline.
input {
udp {
host => "192.168.1.150"
port => 10514
codec => "json"
type => "rsyslog"
}
}
# This is an empty filter block. You can later add other filters here to further process
# your log lines
filter { }
# This output block will send all events of type "rsyslog" to Elasticsearch at the configured
# host and port into daily indices of the pattern, "rsyslog-YYYY.MM.DD"
output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "192.168.1.145:9200", "192.168.1.146:9200", "192.168.1.147:9200" ]
}
}
}
and
# This line sends all lines to defined IP address at port 10514,
# using the "json-template" format template
*.* @192.168.1.150:10514;json-template
Logs are showing logstash connecting to the three Elastic Search servers.
I've done some troubleshooting, changing the host ip in the configuration files to 127.0.0.1 per another comment I read, put the port into quotes just in case, changed rsyslog to syslog in case there's a type error, but it all looks like it's configured correctly.