Logstash udp input listen on port 5044 but doesn't receive syslog messages

kiran80511 · September 7, 2021, 7:17am

I have tried with this command tcpdump -vvv -A -i any port 5044
It receive the syslog messages

12:41:34.438831 IP (tos 0x0, ttl 128, id 37582, offset 0, flags [none], proto UDP (17), length 374)
    gateway.lxi-evntsvc > elastic.sys.lxi-evntsvc: [udp sum ok] UDP, length 346
E..v......%#.......4.....ba.<310>Sep  7 12:01:46 SYSTROMEGGN OTHERS: SerialNum=H00DS-8F64T-2T00L-5965G-436H4 GenTime="2021-09-07 12:01:46" UserID=2 UserName=192.168.0.30 SrcIP=192.168.0.30 DstIP=4.2.2.2 Protocol=DNS SrcPort=53575 DstPort=53 SrcMac=00:0c:29:c1:bf:61 DstMac=c0:83:59:6d:00:01 AppName=dns AppNameEn=dns AppCateName=network-protocol AppAction=Protocol_standard

But logstash doesnot receive the syslog messages

sudo service logstash status

Sep 07 11:58:35 elastic.sys logstash[5031]: [2021-09-07T11:58:35,929][WARN ][logstash.outputs.elasticsearch][main] Restored connection to ES instance {:url=>"https://logstash_writer:xxxxxx@elastic.sys:9200/"}
Sep 07 11:58:35 elastic.sys logstash[5031]: [2021-09-07T11:58:35,982][INFO ][logstash.outputs.elasticsearch][main] Elasticsearch version determined (7.14.0) {:es_version=>7}
Sep 07 11:58:35 elastic.sys logstash[5031]: [2021-09-07T11:58:35,985][WARN ][logstash.outputs.elasticsearch][main] Detected a 6.x and above cluster: the `type` event field won't be used to determine the document _type {:es_version=>7}
Sep 07 11:58:36 elastic.sys logstash[5031]: [2021-09-07T11:58:36,194][INFO ][logstash.outputs.elasticsearch][main] Using a default mapping template {:es_version=>7, :ecs_compatibility=>:disabled}
Sep 07 11:58:36 elastic.sys logstash[5031]: [2021-09-07T11:58:36,513][INFO ][logstash.javapipeline    ][main] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/etc/logstash/conf.d/syslog.conf"], :thread=>"#<Thread:0x6673970d run>"}
Sep 07 11:58:38 elastic.sys logstash[5031]: [2021-09-07T11:58:38,306][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>1.79}
Sep 07 11:58:38 elastic.sys logstash[5031]: [2021-09-07T11:58:38,340][INFO ][logstash.javapipeline    ][main] Pipeline started {"pipeline.id"=>"main"}
Sep 07 11:58:38 elastic.sys logstash[5031]: [2021-09-07T11:58:38,457][INFO ][logstash.inputs.udp      ][main][b8f2aee75012de3d08b90d09c7e821b70188d384fc333f1831c5785bf6dc8f59] Starting UDP listener {:address=>"0.0.0.0:5044"}
Sep 07 11:58:38 elastic.sys logstash[5031]: [2021-09-07T11:58:38,473][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
Sep 07 11:58:38 elastic.sys logstash[5031]: [2021-09-07T11:58:38,506][INFO ][logstash.inputs.udp      ][main][b8f2aee75012de3d08b90d09c7e821b70188d384fc333f1831c5785bf6dc8f59] UDP listener started {:address=>"0.0.0.0:5044", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}

This is my conf file

input {
udp {
port => 5044
type => "syslog"
}
}

filter{
      if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{USERNAME:hostname}%{DATA:syslog_program}:%{GREEDYDATA:syslog_message}" }
}
date {
        match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
     }

ruby {
        code => "
            fieldArray = event.get('syslog_message').split(' ');
            for field in fieldArray
                name = field.split('=')[0];
                value = field.split('=')[1];
                 if value =~ /[0-9]/
                   if value =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$/
                      event.set(name, value)
                   else
                      if value =~ /[A-z]/
                        event.set(name, value)
                      else
                        event.set(name, value.to_i)
                      end
                   end
                else
                    event.set(name, value)

                end
            end
        "
    }
}

}
output {
  elasticsearch {
    hosts => ["https://elastic.sys:9200"]
    cacert => "/etc/logstash/certs/ca.crt"
    user => "logstash_writer"
    password => "QGqqEqLxtCfA1OsZgYQA"
      index => "syslog"
}
  stdout { codec => rubydebug }

}

Please help me

system · October 5, 2021, 7:18am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help receiving syslog data in Logstash Elasticsearch	3	5009	July 6, 2017
Logstash with syslog input doesn't send logs to Elasticsearch Logstash elastic-stack-security	1	492	July 22, 2020
Syslog forwarding question -> Logstash (very basic) Logstash	8	15416	May 9, 2018
Logstash as syslog server - TCP is not working Logstash	2	1843	February 28, 2020
Logstash not receiving messages Logstash	2	987	August 15, 2017

Logstash udp input listen on port 5044 but doesn't receive syslog messages

Related topics