Send Logstash internal logs to Syslog

Elastic Stack Logstash
1

We're wanting to send Logstash's own logs to syslog instead of to a file unfortunately there is very little information about what the log configuration should look like for this approach. So far what we've come up with is the following

log4j.rootLogger=INFO, SYSLOG

log4j.appender.SYSLOG=com.github.loggly.log4j.SyslogAppender64k
log4j.appender.SYSLOG.SyslogHost=localhost
log4j.appender.SYSLOG.Facility=Local0
log4j.appender.SYSLOG.Header=true
log4j.appender.SYSLOG.layout=org.apache.log4j.EnhancedPatternLayout
log4j.appender.SYSLOG.layout.ConversionPattern=java %d{ISO8601}{GMT} %p %t %c %M - %m%n

However this does not seem to work. Does anybody know what the log4j2.properties file needs to look like to have Logstash send its own logs to Syslog

2

In log4j.properties you can add this

appender.syslog.name = syslog
appender.syslog.type = Syslog
appender.syslog.host = localhost
appender.syslog.protocol = tcp
appender.syslog.port = 514

rootLogger.appenderRef.syslog.ref = syslog

more configuration parameters can be found here
https://logging.apache.org/log4j/log4j-2.7/manual/appenders.html#SyslogAppender

The configs are very picky on trailing white space, especially after the "type" fields

Logstash 6.6 comes with Log4J 2.9.1 from September 2017, it should contain the optional RFC5424Layout, but I believe by default the SyslogLayout is used. Config examples from before 2016 don't seem to be working.
https://issues.apache.org/jira/browse/LOG4J2-969

Your example comes from loggly's version of the syslog appender. If you're serious about using it, you should add their JAR to the Java classpath.

I'm not using the log4j syslogappender myself.

3

Awesome thanks for that. I will go test that now. What logger are you using to log to syslog?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.