Hello,
Hello,
I would like to get some advice for this configuration: Send rsyslog to my logstash.
I tested both configurations without success.
One moment it worked after restarting the pipeline nothing.
$ModLoad imudp
$UDPServerRun 5000
#module(load="imudp")
#input(type="imudp" port="5000")
# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 5000
#module(load=”imptcp”)
#input(type=”imptcp” port=”5000″)
*.* @xxx:5000
input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["https://xxx:9200", "https://xx:9200", "https://xx:9200"]
ssl => true
ssl_certificate_verification => true
keystore => "/etc/logstash/certs/xxxxxx"
keystore_password => "${KEY}"
cacert => "/etc/logstash/certs/xxxx
api_key => "xxx"
index => "syslog-%{+YYYY.MM.dd}"
}
}
syslog_message"=>"Started System Logging Service."}], :error=>{"type"=>"security_exception", "reason"=>"action [indices:admin/auto_create] is unauthorized for API key id [JoyBgoUBDSlOApYFv-1N] of user [elastic] on indices [syslog-2023.01.06], this action is granted by the index privileges [auto_configure,create_index,manage,all]"}}
yet I think I have registered the necessary rights during the creation :
{
"name": "syslog",
"role_descriptors": {
"logstash_writer": {
"cluster": ["all"],
"index": [
{
"names": ["syslog-*"],
"privileges": ["auto_configure", "create_index", "manage", "all"]
}
]
}
}
}
'