Rsyslog + Beats together

Elastic Stack Logstash
1

Hello,

I am trying to collect logs from rsyslog and filebeats. I have rsyslog configuration files:
01-json-template.conf

    template(name="json-template" type="list") {
        constant(value="{")
        constant(value="\"@timestamp\":\"")     property(name="timereported" dateFormat="rfc3339")
        constant(value="\",\"message\":\"")     property(name="msg" format="json")
        constant(value="\",\"hostname\":\"")    property(name="hostname")
        constant(value="\",\"programname\":\"") property(name="programname")
        constant(value="\"}\n")
    }

10-myservice.conf

if $syslogtag contains 'myservice' then {
    /var/log/myservice.log
    @@logstash-address:10514;json-template
    stop
}


And I have logstash.conf:
    input {
    <------>tcp {
    <------><------>port => 5000
    <------>}
    }

    input {
        beats {
            port => 5044
            type => "beats"
        }
    }

    input {
       tcp {
            port => 10514
            type => "rsyslog"
        }
    }

    filter {
        json { source => "message" }
        json { source => "log" }
    }

    output {
    <------>elasticsearch {
    <------><------>hosts => "elasticsearch:9200"
    <------><------>user => "elastic"
    <------><------>password => "changeme"
    <------>}
    }

With this logstash config, there are no logs from rsyslog. But if I remove input beats(5044), I can see logs from rsyslog in kibana.

So, can these two inputs work together?

2

multiple inputs in same conf file ?

3

yes, is it wrong?

4

I think you can specify number of inputs like tcp, beats etc inside one single input plugin
Ex:

input {
        beats {
            port => 5044
            type => "beats"
        }
       tcp {
            port => 10514
            type => "rsyslog"
        }
}
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.