I've configured two linux server for sending client rsyslog data to server.The server is receiving messages from client and i've installed elk service on server side now i want to send the rsyslog data (which the server was receiving) to logstash. earlier i was able to sent the data through filebeat.The filebeat was installed on the server side which then sent to logstash now i want to use syslog input but no index is created
I've configure rsyslog server logs are coming at the server side
input {
tcp {
port => 10514
}
}
output {
elasticsearch
{
hosts => "localhost:9200"
index => "client-syslog-%{+YYYY.MM.dd}"
} }
the rsyslog logs are coming on /var/log/remote/server/(server side)
no index is created in kibana.
I also tried this
input {
syslog {
port => 10514
}
}
nothing works
can anyone tell me the solution of it?
Probably, your best option is to use logstash as a syslog receiver.
input {
udp {
id => "syslogUdp10514"
port => 10514
}
}
Then redirect syslog traffic to logstash through iptables :
iptables -A PREROUTING -p udp -m udp --dport 514 -j REDIRECT --to-ports 10514
That way, your server's syslog wil continue working as usual, but traffic from other servers and adressed to UDP/514 (syslog standard) will be re-routed to your logstash instance.
Hey @jfs1 thank you
The logstash is receiving all the logs from syslog but it is not receiving boot logs
local7.* action(type="omfwd"
queue.type="linkedlist"
queue.filename="example_fwd"
action.resumeRetryCount="-1"
queue.saveOnShutdown="on"
target="192.168.0.133" port="10514" protocol="udp"
)
I am able to received authpriv.* logs and daemon logs but not boot logs
I guess you are referring to linux logs.
Boot logs are not using the same path through rsyslog than other logs. Indeed, they are generated before the network is set up. I guess that your best option is to use a log file shipper (i.e. filebeat) instead of logstash for those logs.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.