I'm trying out Elastic Stack. I setup a filebeat to ship my apache access logs and a syslog input on logstash to get the syslog data from the host.
The logs end up in the right place, but the syslog shows the host as the IP address and the apache logs show the host as the hostname. How can I get the syslog to use the hostname?
Please show your configuration and an example syslog event. Copy/paste from Kibana's JSON tab or use a stdout { codec => rubydebug } output.
Example syslog event:
Created with logger -p user.info "test message"
{
"severity" => 6,
"@timestamp" => 2017-10-11T00:20:10.000Z,
"@version" => "1",
"host" => "204.89.253.53",
"program" => "jratliff",
"message" => "test message\n",
"priority" => 14,
"logsource" => "piglet",
"facility" => 1,
"severity_label" => "Informational",
"timestamp" => "Oct 10 20:20:10",
"facility_label" => "user-level"
}
Logstash Configuration:
input {
syslog {
port => 8514
}
}
output {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}
The syslog event comes from rsyslog on a debian box and is forwarded to rsyslog on the server which runs logstash. That rsyslog then forwards it to logstash. I did this to allow for an SSH tunnel between the two servers to encrypt the traffic. When I went through the tunnel direct to logstash, it thought the host was localhost. Now it knows the host by IP, and the logsource has the hostname, but the host field in syslog is different from the host field in the apache logs, which makes it harder to search for events from the server. I'd like all events from the same server to have the same host name.
Thanks.
Why not just rename the logsource field host with a mutate filter?
That works. Thanks.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.