Logstash syslog issue

cybersecc · March 23, 2018, 2:49pm

Hello,
I have configured a remote server to send syslog to logstash.. When I run tcpdump -Xni eth0 I can see that syslog packets are coming to logstash server, but in elasticsearch I see no results. By the way I read all related topic and tried all configs but no luck. I even tried to output to a file .. I've concluded that logstash input is the problem, here is my input conf:
"""
tcp {
port => 5046
type => syslog
}
udp {
port => 5046
type => syslog
workers => 3
queue_size => 72000
receive_buffer_bytes => 31457280
}
"""

Help is needed here

Christian_Dahlqvist · March 24, 2018, 8:03am

How have you concluded that the input is the problem? It looks OK as far as I can see.

cybersecc · March 26, 2018, 8:19am

I have run tcpdump and packets are coming from the remote syslog, but I can see nothing in elasticsearch, I tried ti output to a file but nothing

Christian_Dahlqvist · March 26, 2018, 8:21am

What does the rest of your Logstash config look like? Have you tried outputting to a stdout plugin with a rubydebug codec to what is actually being processed? have you tried to increase the Logstash logging level to debug to see if there are any errors reported?

cybersecc · March 26, 2018, 8:23am

elasticsearch {
    hosts => ["elasticsearch"]
    index => "syslog-%{+YYYY-MM-dd}"
    document_id => "%{@uuid}"
}

this is my output. I do not use rubydebug can you guide me through?

Christian_Dahlqvist · March 26, 2018, 8:31am

Add this to the output section:

stdout {
  codec => rubydebug
}

What about the rest of the config? Where does the uuid come from?

Do you see anything in the logs?

cybersecc · March 26, 2018, 8:57am

this is logstash's log
[2018-03-23T14:16:45,927][INFO ][logstash.inputs.udp ] UDP listener started {:address=>"0.0.0.0:5046", :receive_buffer_bytes=>"31457280", :queue_size=>"72000"}

rubydebug: All I see is other logs in the output but I see nothing related to syslog also there is no error. (My logstash is on a docker container so I used this cmd: sudo docker logs -f logstash_1), plz correct me if I'm wrong.

I must say that in my elastic I can see IDS, vuln scanner logs, and even docker syslog

rcowart · March 26, 2018, 9:36am

Make sure that the incoming data is not blocked by a local firewall. On Linux tcpdump see packets before they are evaluated by the firewall.

cybersecc · March 26, 2018, 10:11am

no problems with firewall I enabled the port

system · April 23, 2018, 10:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash with syslog input doesn't send logs to Elasticsearch Logstash elastic-stack-security	1	491	July 22, 2020
Logstash dont receive log Logstash	3	322	September 20, 2018
Syslog to elasticsearch, can't get it working Logstash	2	1004	April 23, 2017
Logstash is not sending logs in ElasticSearch Logstash	4	564	June 2, 2017
Logstash not sending syslog to elasticsearch Logstash	42	3778	December 17, 2021

Logstash syslog issue

Related topics