hello,
I was aked to install a Log server with rsyslog or syslog-ng(don't know which one is better) and to analysis this data with ELK. My question is : is it possible to tell stack ELK to get the log on the first server ?
hello,
I was aked to install a Log server with rsyslog or syslog-ng(don't know which one is better) and to analysis this data with ELK. My question is : is it possible to tell stack ELK to get the log on the first server ?
When you say "the first server" do you mean on the rsyslog log server? Or on the client machine sending to the rsyslog server? You can do either, as well as using logstash as the receiver from a client running rsyslog.
IMO syslog-ng is not worth using unless you have BSD based clients (Mac, Free/OpenBSD etc).
yes i meant the syslog server, so when i install logstash on an ohter server, i have to tell logstash to get the log from the syslog server then ?
And thanks for helping me
You can just install logstash itself - it can receive syslog formatted messages from syslog compadible clients.
So on your clients' config /etc/rsyslog.d/60-logstash.conf
.;auth.authpriv.none @@logstash.example.com
will send everything but auth logs via TCP to your logstash server. On the logstash server use the syslog input filter
Another option is to install the file input on the syslog server and have it look at /var/log/stuff
If you're using a recent version of Rsyslog, you can bypass the need for regular-expression/grok extraction of the raw syslog data with something like this: https://gist.github.com/untergeek/0373ee85a41d03ae1b78
The json output module for Rsyslog is awesome that way.
Starting with a new technology in most cases means doing iterations until you reached the goal you want.
When starting with the ELK stack, I found it easier (and more 'boss'-compliant ) to have a central (r)syslog server collecting data from all other servers/client in a certain directory ( i.e.: /data/log/<HOSTNAME>/<YEAR>/<MONTH>/<DAY>/<FACILITY>.log
) and then having logstash on the same server reading file inputs and outputting to elasticsearch (which could be on a different server).
Having this architecture you basically decouple logging (done with rsyslog) from ELK.
It was useful especially when learning how to 'grok' events to do some manipulation (if I messed up, I could delete the elastic search indices and start over).
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.