Minimal filebeat config: syslog -> file

Magnus_Therning · July 6, 2018, 5:42pm

In an attempt to walk before running I thought I'd set up a filebeat instance as a syslog server and then use logger to send log messages to it.

My Docker Compose configuration for setting up filebeat is

filebeat:
  image: docker.elastic.co/beats/filebeat:6.3.1
  stdin_open: true
  tty: true
  command: filebeat -v -c /config-dir/filebeat.yml
  restart: always
  ports:
    - "5000:5000"
  volumes:
    - ./log-cfg/filebeat.yml:/config-dir/filebeat.yml
    - ./beat-out/:/beat-out/

The file filebeat.yml contains

filebeat.inputs:
  - type: syslog
    protocol.tcp.host: "localhost:5000"

output.file.path: "/beat-out"

logging:
  level: debug
  to_files: true

Bringing up filebeat with docker-compose up filebeat succeeds. And sending log messages using logger --server localhost --port 5000 --tcp --rfc3164 "An error" succeeds too. However, there is nothing printed to any file in ./beat-out/.

Attaching to the running instance and inspecting the log (/usr/share/filebeat/logs/filebeat) doesn't help me understand what's missing. A log can be found at http://ix.io/1gdq. Also, nothing appears in the filebeat log when sending a syslog message with logger.

What am I missing here?

adrisr · July 6, 2018, 7:37pm

The syslog input is being bound to the container's loopback interface. Just need to remove the host name:

protocol.tcp.host: ":5000"

Magnus_Therning · July 6, 2018, 9:12pm

Indeed! Thanks!

I do wonder what answered logger when it tried to connect to port 5000 locally...

adrisr · July 9, 2018, 9:07am

That was docker itself. If you try to connect to a bound port that is closed inside the container, docker will still accept the connection and then close it immediately.

system · August 6, 2018, 9:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.