Logstash syslog issue

I have configured a remote server to send syslog to logstash.. When I run tcpdump -Xni eth0 I can see that syslog packets are coming to logstash server, but in elasticsearch I see no results. By the way I read all related topic and tried all configs but no luck. I even tried to output to a file :confused: .. I've concluded that logstash input is the problem, here is my input conf:
tcp {
port => 5046
type => syslog
udp {
port => 5046
type => syslog
workers => 3
queue_size => 72000
receive_buffer_bytes => 31457280

Help is needed here

How have you concluded that the input is the problem? It looks OK as far as I can see.

I have run tcpdump and packets are coming from the remote syslog, but I can see nothing in elasticsearch, I tried ti output to a file but nothing

What does the rest of your Logstash config look like? Have you tried outputting to a stdout plugin with a rubydebug codec to what is actually being processed? have you tried to increase the Logstash logging level to debug to see if there are any errors reported?

elasticsearch {
    hosts => ["elasticsearch"]
    index => "syslog-%{+YYYY-MM-dd}"
    document_id => "%{@uuid}"

this is my output. I do not use rubydebug can you guide me through?

Add this to the output section:

stdout {
  codec => rubydebug

What about the rest of the config? Where does the uuid come from?

Do you see anything in the logs?

this is logstash's log
[2018-03-23T14:16:45,927][INFO ][logstash.inputs.udp ] UDP listener started {:address=>"", :receive_buffer_bytes=>"31457280", :queue_size=>"72000"}

rubydebug: All I see is other logs in the output but I see nothing related to syslog also there is no error. (My logstash is on a docker container so I used this cmd: sudo docker logs -f logstash_1), plz correct me if I'm wrong.

I must say that in my elastic I can see IDS, vuln scanner logs, and even docker syslog

Make sure that the incoming data is not blocked by a local firewall. On Linux tcpdump see packets before they are evaluated by the firewall.

no problems with firewall I enabled the port

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.