Problem to store syslog

Elastic Stack Logstash
1

Hi,

I am facing problem with processing of rsyslog messages by logstash. The goal is to receive syslogs from various devices, perform some filtration on base of Ip address/tags and so on and then send to different outputs.. The problem is that event if I can see the syslog messages on interface, logstash doesnt process them and no record on output.
I tried to simplify the config as much as possible, and later add the part to whole config (already processing inputs from fluentd) but still the same problem:

CONFIGURATION:
input {
udp {
port => 5514
host => "10.233.155.148"

type => "rsyslog"

syslog_field => "syslog"

}
}

filter { }

output {
stdout {codec => rubydebug}
file {
path => "/var/log/logstash/output_all-%{+YYYY-MM-dd}.log"
}
}

LOGSTASH-PLAIN.LOG
[2024-10-11T10:59:12,217][INFO ][logstash.javapipeline ][main] Pipeline Java execution initialization time {"seconds"=>1.46}
[2024-10-11T10:59:12,268][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2024-10-11T10:59:12,501][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[2024-10-11T10:59:12,579][INFO ][logstash.inputs.udp ][main][c06d2d93e4e0af6b1dff1432a7469d4d7714365f70cee0b565fef72e184c7ff9] Starting UDP listener {:address=>"10.233.155.148:5514"}
[2024-10-11T10:59:12,623][INFO ][logstash.inputs.udp ][main][c06d2d93e4e0af6b1dff1432a7469d4d7714365f70cee0b565fef72e184c7ff9] UDP listener started {:address=>"10.233.155.148:5514", :receive_buffer_bytes=>"106496", :queue_size=>"2000"}

TCPDUMP:
10:58:51.115731 IP 10.233.141.215.syslog > 10.233.155.148.5514: SYSLOG local7.error, length: 158
10:58:51.115749 IP 10.233.141.215.syslog > 10.233.155.148.5514: SYSLOG local7.error, length: 146
10:58:54.966865 IP 10.233.141.215.syslog > 10.233.155.148.5514: SYSLOG local7.error, length: 148
10:58:54.966881 IP 10.233.141.215.syslog > 10.233.155.148.5514: SYSLOG local7.error, length: 160
10:59:20.259578 IP 10.233.141.215.syslog > 10.233.155.148.5514: SYSLOG local7.error, length: 201

No record to file or console.
Have you met with such problem? Do you have any idea, what could be wrong?

thank you

2

Solved. The problem was in routing - even if the UDP is connectionless protocol, linux perfoms check if source IP address of the message would be routed to the same interface as was received from. Due to fact that I didn't define reverse routing, the default route would be used which pointed to different interface. As soon as I added reverse route it works properly.