Send log from rsyslog to ELK with X-PACK


After installing X-PACK (necessary for Watcher and securing access to Kibana), my linux logs do not go back to ELK.

Indeed, before the installation of X-PACK, I had the following configuration on my Debian client:


*.* @

This is the configuration on my ELK :

input {
  syslog {
    port => "5544"
    type => "rsyslog"

filter { }

output {
  if [type] == "rsyslog" {
    elasticsearch {
      hosts => [ "" ]
      index => "winlogbeat-%{+YYYY.MM.dd}"

Since installing X-PACK, I had to modify the winlogbeat.yml file on my client machines in order to add the elastic account and its password. I guess you have to do the same for a Linux. How can I do this?

Thank you for your answers.

Hi Alison,

You are correct in saying that once elasticsearch requires authentication, you will have to pass it when writing from logstash.
Please follow the steps documented here to create a user and assign it a role with sufficient permissions and use it in the output section (or use an existing user with enough permissions):

Also for informations on security, I would recommend this course which will cover roles, user creation and also securing elasticsearch :

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.