Syslog collection via Elastic Agent


We have an application for which installing a local agent is not possible and there is no specific Agent Integration so we are looking to collect the syslog over TCP or UDP.

I assumed within the System integration there would be an option to specify an input over one of these protocols but the options are unfortuantely only local collecion. There is a CEF Intergration I have seen which pretty much seems to be what I'm after but I'm not sure currently if this is the format this particualr syslog is in, or if that even matters? Am I missing a way to achieve this?



Hey @Josh_G. Can your application output log data via syslog? If so, you could install Elastic Agent on a remote host and send the syslog from your application to that agent. The Custom TCP or UDP integrations are likely going to be the best fit for your use case. You can apply one of those integrations to the host running the agent and receiving syslog from your application.

We're currently working on the addition of a 'Syslog Parsing' toggle within these integrations to automatically parse RFC3164/RFC5424 formatted syslog. You can view the relevant PR here: [tcp/udp] Add option to parse syslog by taylor-swanson · Pull Request #3587 · elastic/integrations · GitHub

Worth noting, these custom integrations will not map your events to the Elastic Common Schema. You will need to build an ingest pipeline if you wish to map to ECS.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.