I am wanting to configure the log from: Filebeat -> Logstash -> Elasticsearch and syslog-ng(or rsyslog).
I configured with Syslog-ng to get the log following the instructions at: Sending logs from Logstash to syslog-ng - Blog - syslog-ng Community - syslog-ng Community. However, this log contains the entire log content of logstash. This makes it difficult for me.
Example: The original log in /var/log/auth.log is as follows:
Jan 25 16:29:01 TOBY CRON[52171]: pam_unix(cron:session): session opened for user root by TOBYTEST
But when I go to Syslog-ng, which I reconfigure, I get the following:
Jan 25 16:28:38 192.168.0.18 "ubuntu-srv","os":{"kernel":"5.4.0-94-generic","codename":"focal","name":"Ubuntu" ,"family":"debian","type":"linux","version":"20.04.3 LTS (Focal Fossa)","platform":"ubuntu"},"ip":["192.168.0.20 ","fe80::20c:29ff:fe7e:e409"],"containerized":false,"name":"ubuntu-srv","id":"54c327f620594e9faab9b7b42ebb37c3","mac":["00:0c: 29:7e:e4:09"],"architecture":"x86_64"} LOGSTASH[-]: 2022-01-25T09:28:37.731Z {hostname=ubuntu-srv, os={kernel=5.4.0-94 -generic, codename=focal, name=Ubuntu, family=debian, type=linux, version=20.04.3 LTS (Focal Fossa), platform=ubuntu}, ip=[192.168.0.20, fe80::20c:29ff:fe7e :e409], containerized=false, name=ubuntu-srv, id=54c327f620594e9faab9b7b42ebb37c3, mac=[00:0c:29:7e:e4:09], architecture=x86_64} Jan 25 16:29:01 TOBY CRON[52171] : pam_unix(cron:session): session opened for user root by TOBYTEST
Where 192.168.0.20 is the IP server containing Filebeat, 192.168.0.18 is the server running logstash(ELK).
So how can Syslog-ng (or rsyslog) only get the same log as the original log from filebeat?
Please help me. Thank you!