Logstash logs all inputs to syslog

Elastic Stack Logstash
1

Logstash version: 5.3.2
OS: Ubuntu 16.04

I have issue that sees anything that comes through the Logstash Input get appended to the system's syslog, even if I have log.level: fatal set in the configuration file. Is this a normal operation for Logstash?

Here is my configuration set:

/etc/logstash/logstash.yml

node.name: prod-elk-1
path.data: /var/lib/logstash
path.config: /etc/logstash/conf.d
path.data: /mnt/data/logstash
path.logs: /var/log/logstash
log.level: fatal

/etc/logstash/conf.d/grok.conf

input {
  beats {
    port => 5044
  }
}

# START FILTER #
filter {
  
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOG_UBUNTU}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }

  else if [type] == "nginx-access" {
    grok {
      patterns_dir => ["/usr/share/logstash/patterns"]
      match => { "message" => "%{NGINX_ACCESS}" }
      add_field => [ "received_from", "%{host}" ]
    }
    ruby {
      code => "
        event.set('request_time_ms', event.get('request_time') * 1000)
        event.set('upsteam_response_time_ms', event.get('upsteam_response_time') * 1000)
      "
    }
    mutate {
      remove_field => [ "request_time", "upsteam_response_time" ]
      convert => {
        "request_time_ms" => "integer"
        "upsteam_response_time_ms" => "integer"
      }
    }
    geoip {
      source => "client_ip"
    }
    useragent {
      source => "useragent_raw"
      target => "useragent"
    }
  }
}

output {
  elasticsearch { hosts => ["127.0.0.1:9200"] }
  stdout { codec => rubydebug }
}

/var/log/syslog

May  4 07:58:35 prod-elk-1 logstash[10852]: {
May  4 07:58:35 prod-elk-1 logstash[10852]:          "syslog_pid" => "9339",
May  4 07:58:35 prod-elk-1 logstash[10852]:              "offset" => 125237678,
May  4 07:58:35 prod-elk-1 logstash[10852]:          "input_type" => "log",
May  4 07:58:35 prod-elk-1 logstash[10852]:              "source" => "/var/log/syslog",
May  4 07:58:35 prod-elk-1 logstash[10852]:      "syslog_program" => "logstash",
May  4 07:58:35 prod-elk-1 logstash[10852]:             "message" => "May  4 07:29:45 prod-elk-1 logstash[9339]:     \"syslog_hostname\" => \"prod-elk-1\",",
May  4 07:58:35 prod-elk-1 logstash[10852]:                "type" => "syslog",
May  4 07:58:35 prod-elk-1 logstash[10852]:      "syslog_message" => "    \"syslog_hostname\" => \"prod-elk-1\",",
May  4 07:58:35 prod-elk-1 logstash[10852]:                "tags" => [
May  4 07:58:35 prod-elk-1 logstash[10852]:         [0] "beats_input_codec_plain_applied"
May  4 07:58:35 prod-elk-1 logstash[10852]:     ],
May  4 07:58:35 prod-elk-1 logstash[10852]:       "received_from" => "prod-elk-1",
May  4 07:58:35 prod-elk-1 logstash[10852]:          "@timestamp" => 2017-05-04T07:58:29.228Z,
May  4 07:58:35 prod-elk-1 logstash[10852]:     "syslog_hostname" => "prod-elk-1",
May  4 07:58:35 prod-elk-1 logstash[10852]:         "received_at" => "2017-05-04T07:58:29.228Z",
May  4 07:58:35 prod-elk-1 logstash[10852]:            "@version" => "1",
May  4 07:58:35 prod-elk-1 logstash[10852]:                "beat" => {
May  4 07:58:35 prod-elk-1 logstash[10852]:         "hostname" => "prod-elk-1",
May  4 07:58:35 prod-elk-1 logstash[10852]:             "name" => "prod-elk-1",
May  4 07:58:35 prod-elk-1 logstash[10852]:          "version" => "5.3.2"
May  4 07:58:35 prod-elk-1 logstash[10852]:     },
May  4 07:58:35 prod-elk-1 logstash[10852]:                "host" => "prod-elk-1"
May  4 07:58:35 prod-elk-1 logstash[10852]: }
May  4 07:58:35 prod-elk-1 logstash[10852]: {
May  4 07:58:35 prod-elk-1 logstash[10852]:          "syslog_pid" => "9339",
May  4 07:58:35 prod-elk-1 logstash[10852]:              "offset" => 125237774,
May  4 07:58:35 prod-elk-1 logstash[10852]:          "input_type" => "log",
May  4 07:58:35 prod-elk-1 logstash[10852]:              "source" => "/var/log/syslog",
May  4 07:58:35 prod-elk-1 logstash[10852]:      "syslog_program" => "logstash",
May  4 07:58:35 prod-elk-1 logstash[10852]:             "message" => "May  4 07:29:45 prod-elk-1 logstash[9339]:         \"received_at\" => \"2017-05-04T07:29:37.503Z\",",
May  4 07:58:35 prod-elk-1 logstash[10852]:                "type" => "syslog",
May  4 07:58:35 prod-elk-1 logstash[10852]:      "syslog_message" => "        \"received_at\" => \"2017-05-04T07:29:37.503Z\",",
May  4 07:58:35 prod-elk-1 logstash[10852]:                "tags" => [
May  4 07:58:35 prod-elk-1 logstash[10852]:         [0] "beats_input_codec_plain_applied"
May  4 07:58:35 prod-elk-1 logstash[10852]:     ],
May  4 07:58:35 prod-elk-1 logstash[10852]:       "received_from" => "prod-elk-1",
May  4 07:58:35 prod-elk-1 logstash[10852]:          "@timestamp" => 2017-05-04T07:58:29.228Z,
May  4 07:58:35 prod-elk-1 logstash[10852]:     "syslog_hostname" => "prod-elk-1",
May  4 07:58:35 prod-elk-1 logstash[10852]:         "received_at" => "2017-05-04T07:58:29.228Z",
May  4 07:58:35 prod-elk-1 logstash[10852]:            "@version" => "1",
May  4 07:58:35 prod-elk-1 logstash[10852]:                "beat" => {
May  4 07:58:35 prod-elk-1 logstash[10852]:         "hostname" => "prod-elk-1",
May  4 07:58:35 prod-elk-1 logstash[10852]:             "name" => "prod-elk-1",
May  4 07:58:35 prod-elk-1 logstash[10852]:          "version" => "5.3.2"
May  4 07:58:35 prod-elk-1 logstash[10852]:     },
May  4 07:58:35 prod-elk-1 logstash[10852]:                "host" => "prod-elk-1"
May  4 07:58:35 prod-elk-1 logstash[10852]: }
2

It's normal and expected if you have a stdout { codec => rubydebug } output in your configuration. Remove it.

3

@magnusbaeck Thanks for point that out. Appreciate you help :thumbsup:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.