Rsyslog and ELK

Sdclmb · May 12, 2015, 11:54am

hello,

I was aked to install a Log server with rsyslog or syslog-ng(don't know which one is better) and to analysis this data with ELK. My question is : is it possible to tell stack ELK to get the log on the first server ?

JeremyinNC · May 12, 2015, 12:15pm

When you say "the first server" do you mean on the rsyslog log server? Or on the client machine sending to the rsyslog server? You can do either, as well as using logstash as the receiver from a client running rsyslog.

IMO syslog-ng is not worth using unless you have BSD based clients (Mac, Free/OpenBSD etc).

Sdclmb · May 12, 2015, 12:26pm

yes i meant the syslog server, so when i install logstash on an ohter server, i have to tell logstash to get the log from the syslog server then ?

And thanks for helping me

JeremyinNC · May 12, 2015, 4:42pm

You can just install logstash itself - it can receive syslog formatted messages from syslog compadible clients.

So on your clients' config /etc/rsyslog.d/60-logstash.conf

.;auth.authpriv.none @@logstash.example.com

will send everything but auth logs via TCP to your logstash server. On the logstash server use the syslog input filter

Another option is to install the file input on the syslog server and have it look at /var/log/stuff

theuntergeek · May 12, 2015, 6:47pm

If you're using a recent version of Rsyslog, you can bypass the need for regular-expression/grok extraction of the raw syslog data with something like this: https://gist.github.com/untergeek/0373ee85a41d03ae1b78

The json output module for Rsyslog is awesome that way.

elisiano · May 12, 2015, 7:39pm

Starting with a new technology in most cases means doing iterations until you reached the goal you want.
When starting with the ELK stack, I found it easier (and more 'boss'-compliant ) to have a central (r)syslog server collecting data from all other servers/client in a certain directory ( i.e.: /data/log/<HOSTNAME>/<YEAR>/<MONTH>/<DAY>/<FACILITY>.log) and then having logstash on the same server reading file inputs and outputting to elasticsearch (which could be on a different server).

Having this architecture you basically decouple logging (done with rsyslog) from ELK.
It was useful especially when learning how to 'grok' events to do some manipulation (if I messed up, I could delete the elastic search indices and start over).