I have followed this Digital Ocean tutorial to send logs to logstash via rsyslog.
But I am not getting logs in logstash. I am sending logs to a centralized rsyslog-server, and then to logstash. This rsyslog-server and logstash are on the same machine.
This is the /etc/rsyslog.d/50-default.conf file on rsyslog-client :-
*.* @xx.xx.xx.xx:514
I have added this line at the top, rest is the same
This is the /etc/rsyslog.conf file on rsyslog-server,
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
I have enabled these modules, rest is same as default. Below is the file, /etc/rsyslog.d/01-json-template.conf
template(name="json-template" type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"") property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"@version\":\"1")
constant(value="\",\"message\":\"") property(name="msg" format="json")
constant(value="\",\"sysloghost\":\"") property(name="hostname")
constant(value="\",\"severity\":\"") property(name="syslogseverity-text")
constant(value="\",\"facility\":\"") property(name="syslogfacility-text")
constant(value="\",\"programname\":\"") property(name="programname")
constant(value="\",\"procid\":\"") property(name="procid")
constant(value="\"}\n")
}
And the last is my output file config which sends data to logstash, it is also on the rsyslog-server machine,
*.* @127.0.0.1:5044;json-template
This below is my logstash configuration,
input {
udp {
host => "127.0.0.1"
port => "5044"
codec => "json"
type => "rsyslog"
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
user => xxxxxxxx
password => xxxxxxx
index => "%{type}_index"
}
}
Still, with all this configuration, I dont see my rsyslog_index in elasticsearch. All the ports are up and running, there is no firewall issue also.
What and where is the problem ?