Logstash syslog issue

cybersecc · March 23, 2018, 2:49pm

Hello,
I have configured a remote server to send syslog to logstash.. When I run tcpdump -Xni eth0 I can see that syslog packets are coming to logstash server, but in elasticsearch I see no results. By the way I read all related topic and tried all configs but no luck. I even tried to output to a file .. I've concluded that logstash input is the problem, here is my input conf:
"""
tcp {
port => 5046
type => syslog
}
udp {
port => 5046
type => syslog
workers => 3
queue_size => 72000
receive_buffer_bytes => 31457280
}
"""

Help is needed here

Christian_Dahlqvist · March 24, 2018, 8:03am

How have you concluded that the input is the problem? It looks OK as far as I can see.

cybersecc · March 26, 2018, 8:19am

I have run tcpdump and packets are coming from the remote syslog, but I can see nothing in elasticsearch, I tried ti output to a file but nothing

Christian_Dahlqvist · March 26, 2018, 8:21am

What does the rest of your Logstash config look like? Have you tried outputting to a stdout plugin with a rubydebug codec to what is actually being processed? have you tried to increase the Logstash logging level to debug to see if there are any errors reported?

cybersecc · March 26, 2018, 8:23am

elasticsearch {
    hosts => ["elasticsearch"]
    index => "syslog-%{+YYYY-MM-dd}"
    document_id => "%{@uuid}"
}

this is my output. I do not use rubydebug can you guide me through?

Christian_Dahlqvist · March 26, 2018, 8:31am

Add this to the output section:

stdout {
  codec => rubydebug
}

What about the rest of the config? Where does the uuid come from?

Do you see anything in the logs?

cybersecc · March 26, 2018, 8:57am

this is logstash's log
[2018-03-23T14:16:45,927][INFO ][logstash.inputs.udp ] UDP listener started {:address=>"0.0.0.0:5046", :receive_buffer_bytes=>"31457280", :queue_size=>"72000"}

rubydebug: All I see is other logs in the output but I see nothing related to syslog also there is no error. (My logstash is on a docker container so I used this cmd: sudo docker logs -f logstash_1), plz correct me if I'm wrong.

I must say that in my elastic I can see IDS, vuln scanner logs, and even docker syslog

rcowart · March 26, 2018, 9:36am

Make sure that the incoming data is not blocked by a local firewall. On Linux tcpdump see packets before they are evaluated by the firewall.

cybersecc · March 26, 2018, 10:11am

no problems with firewall I enabled the port

system · April 23, 2018, 10:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.