Issue:
All syslog messages are being processed only by the Fortigate Syslog integration, while the custom UDP integrations for Aruba and F5 are being bypassed completely.
Question:
What's the recommended approach to configure multiple syslog sources (Aruba, F5, Fortigate) on a single Elastic Agent using the same port (514)? Looking for a solution that doesn't require setting up different ports for each system.
Additional Context:
Need to maintain standard syslog port (514)
Prefer to keep single agent configuration
Require proper message routing to respective integrations
You cannot have multiple integrations listening on the same port, each integration is a different process and you cannot bind different processes to the same port.
It is required to use a different port for each integration.
If you cannot change the port and need to use 514 you need something to reroute the events to the correct integration.
Depending on the version of the stack you are, there is a new integration called Syslog Router that can do that, it has some pre-configured patterns to reroute to the correct integration, but you can also add extra patterns. This integration requires version 8.14.3 or higher and it is still in beta.
You can also do this reroute using rsyslog, in this case you would need to configure each integration with a different internal port and in rsyslog you could direct the logs to each integration based on the source or some other logic.
Thanks Leandro, that's very helpful! I'm wondering if I have these integrations on different agent instances but still with the same port, so essentially I'm gonna switch to a multi-agent setup, will it solve this problem?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.