Logstash syslog output plugin not setting facility

sysinit · March 29, 2017, 6:40pm

Hi,

I want to use the logstash syslog output plugin (Syslog output plugin | Logstash Reference [8.11] | Elastic) to send specific logs to a remote host.

It doesn't work if I configure the output to send to the remote host directly, can't figure out why (remote site isn't under my control).
So I tried to send to a local rsyslog instance, which then should forward the logs to the remote host.
For that I want to set "facility => local5" in the output configuration, and let rsyslog forward everything with local5.* to the remote site.
But nothing gets send out. Only when I tell rsyslog to send everything ( *.* ) it works.

Configs look like this:

logstash:

output {
      syslog {
      host => "localhost"
      port => "5141"
      protocol => "tcp"
      facility => "local5"
      severity => "informational"
    }
}

rsyslog:

$ModLoad imuxsock # local message reception
$WorkDirectory /var/log/rsyslog/ # default location for work (spool) files
$ActionQueueType LinkedList # use asynchronous processing
$ActionQueueFileName srvrfwd # set file name, also enables disk mode
$ActionResumeRetryCount -1 # infinite retries on insert failure
$ActionQueueSaveOnShutdown on # save in-memory data if rsyslog shuts down

# this does not work: 
# local5.*   @@remotehost.tld:443
# this works: 
*.*   @@remotehost.tld:443

So I suspect that the facility doesn't get set correctly.
Any ideas?

magnusbaeck · March 30, 2017, 5:55am

What if you use netcat to listen to a (different) TCP port and dump the results? What does Logstash actually send if you direct it to that port?

fragatina · April 10, 2017, 11:11pm

Hi, I'm having the same issue with logstash-output-syslog-3.0.1.
It seems that if you configure to sent to facility local5 it sends it to local3 and if you specify local7 then it'll send it to local5 and so on (2 less than what we configure).

fragatina · April 14, 2017, 1:16am

This seems like a regression because I've used to use logstash-output-syslog (0.1.4) and it works fine with the same config but 3.0.1 doesn't work

fragatina · May 4, 2017, 6:56am

Nobody else sees this issue?

fragatina · May 25, 2017, 8:28am

Still not resolved or got traction. I'll open a issue for that plugin

system · June 22, 2017, 8:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash-output-syslog plugin sends incorrect facility Logstash	2	293	December 16, 2020
Centos 7.5 with rsyslog 8.24 / logstash 6.3.0 - on logstash output always severity code 5 and facility code 1 - Other post found on but still not solved Logstash	2	1717	August 14, 2018
Sending syslog logs through logstash Elasticsearch	2	349	September 22, 2020
Rsyslog is not forwarding logs to elasticsearch Logstash	7	991	January 29, 2023
Rsyslog to send logs to logstash Logstash	12	8602	March 22, 2021

Logstash syslog output plugin not setting facility

Related topics