Hi,
I have a setup where i am able to send the logs from Log Files -> Filebeat -> Logstash -> rsyslog server.
But the customer has a syslog-ng as the server, have tried to work with the above pipeline with the logstash syslog output plugin but it is unable to send the logs to syslog-ng server. Would logstash syslog output plugin work with syslog-ng server or only rsyslog server?
What i am looking for in short is Logstash -> syslog-ng server.
Any help is very much appreciated.
Thanks.
Have you looked at the output's rfc option?
Hi, depending on the platform and the kind of processing you do with filebeat/logstash, you might not even need them, and can read the log messages with syslog-ng directly.
If you stick to Logstash, check the format it sends out the log messages - you'll need a matching source on the syslog-ng server. If logstash uses RFC3164 format (BSD-style syslog), use a network() source in syslog-ng. If it uses RFC5424, use a syslog() source.
HTH
Robert
Hi,
It seems to me, that logstash sends a new syslog header with the complete original message to syslog-ng:
Oct 30 12:59:21 localhost.localdomain LOGSTASH[-]: Oct 30 08:59:20 localhost NetworkManager[770]: [1509368360.0101] ndisc[0x55f278312440,"eno16777736"]: complete-address: can't generate a new EUI-64 address
Could you share your logstash / rsyslog configuration?
Hi,
Tested it a bit more and put together a quick blog on the topic: https://www.balabit.com/blog/sending-logs-logstash-syslog-ng/
I hope you find it useful.
Peter
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.