Logstash <-> Logstash using lumberjack. Beats input can not be passed through?

Elastic Stack Logstash
1

Hi,

I have an issues with lumberjack and Logstash to Logstash communication. I have 2 sites, and have a logstash on each site. They are connected with a VPN connection over the internet.

I can get the Lumberjack connected and i receiving syslog data over the lumberjack connection but the problem is I can't get my beats input through. I have Winlogbeats and syslog devices there sends data to my logstash A. Lumberjack should forward all data to Logstash B and send the data to Elasticsearch. my config is attached below.

Is lumberjack not the right way to go anymore? or are beats not supported over lumperjack? I cant find anything online? - If i send all the logdata from Logstash A directly to the ElasticSearch its work, but it cant work like that, we have to send the logstash though the logstash on site B as well. Logstash running 7.3.0 on site A, and 7.3.1 on site B. Should not make the big differences.

Thanks :slight_smile:

Configfile:

LOGSTASH A (SENDING LOGSTASH)

input {
beats {
type => "winlogbeats"
port => 5044
}
udp {
type => "DeviceA"
port => 514
}
udp {
type => "DeviceB"
port => 2000
}
beats {
type => "packetbeat"
port => 2001
}
udp {
type => "DeviceC"
port => 2002
}
}

output {
lumberjack {
hosts => ["LOGSTASHB"]
port => 4545
ssl_certificate => "LOCATION/TO/CERT/lumberjack.cert"
}
}

LOGSTASH B (RECEIVING LOGSTASH)

input {
lumberjack {
port => 4545
ssl_certificate => "LOCATION/TO/CERT/lumberjack.cert"
ssl_key => "LOCATION/TO/CERT/lumberjack.key"
}
}

output {
if [type] == "winlogbeats" {
elasticsearch {
hosts => "https://ELASTICSEARCH:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
user => USERNAME
password => PASSWORD
ssl => true
ssl_certificate_verification => false
}
}
if [type] == "DEVICEA" {
elasticsearch {
hosts => ["https://ELASTICSEARCH:9200"]
index => "DEVICEA-%{+YYYY.MM.dd}"
user => USERNAME
password => PASSWORD
ssl => true
ssl_certificate_verification => false
}
}
if [type] == "DEVICEB" {
elasticsearch {
hosts => ["https://ELASTICSEARCH:9200"]
index => "DEVICEB-%{+YYYY.MM.dd}"
user => USERNAME
password => PASSWORD
ssl => true
ssl_certificate_verification => false
}
}
if [type] == "packetbeat" {
elasticsearch {
hosts => ["https://ELASTICSEARCH:9200"]
index => "packetbeat-%{+YYYY.MM.dd}"
user => USERNAME
password => PASSWORD
ssl => true
ssl_certificate_verification => false
}
}
if [type] == "DEVICEC" {
elasticsearch {
hosts => ["https://ELASTICSEARCH:9200"]
index => "DEVICEC%{+YYYY.MM.dd}"
user => USERNAME
password => PASSWORD
ssl => true
ssl_certificate_verification => false
}
}
}

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.