I have configured a HSM to send lodgs via TCP to logstash listening in pot 5004, but nothing arrive. I did a test with Rsyslog in port 514 and the logs arrive. Where should I focus the serach for error, the services are up (Elastic, logstash and KIbana).
THanks for the help
ELK is installed on Centos 7
What is HSM?
What does your config for Logstash look like? What version are you running?
Hi,
Thanks for your response, HSM is an Harware Security Module or criptographic server, it can send the logs by TCP or UPD in format SYSLOG or CEF, I am sending by TCP SYSLOG.
Installed Packages
logstash.noarch 1:7.1.1-1 @elasticsearch-7.x
Config files
[root@localhost ~]# cat /etc/logstash/conf.d/*
input {
tcp {
# beats
port => 5004
type => "syslog"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["http://52.xxx.xxx.212:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
ip masked by security reasons
I am new on ELK, so all advises are welcome
Regards
What is your HSM log delivery config? Is it to port 5004 or 514?
I have done a clean install and now I am verified that the logs are arriving...
But I can not see the logs on kibana...
Any ideas?,
Thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.