For some reason facility is always showing kernel (0) but in this test it should show syslog (5).
"hits" : [ {
"_index" : "filebeat-2016.12.14",
"_type" : "fbsyslog",
"_id" : "AVj6wwB4Si_4urkNEHOu",
"_score" : 14.27702,
"_source" : {
"message" : "<5.2> Dec 14 01:37:02 elkclient bob testmsg36",
"@version" : "1",
"@timestamp" : "2016-12-14T00:37:09.022Z",
"beat" : {
"hostname" : "elkclient.foo.com",
"name" : "elkclient.foo.com"
},
"count" : 1,
"fields" : null,
"input_type" : "log",
"offset" : 18242,
"source" : "/var/log/messages",
"type" : "fbsyslog",
"host" : "elkclient.foo.com",
"tags" : [ "beats_input_codec_plain_applied" ],
"facility" : "5",
"syslog_pri" : "2",
"syslog_timestamp" : "Dec 14 01:37:02",
"syslog_hostname" : "elkclient",
"syslog_program" : "bob",
"syslog_message" : " testmsg36",
"syslog_severity_code" : 2,
>>>>>>>>>> "syslog_facility_code" : 0,
>>>>>>>>>>"syslog_facility" : "kernel",
"syslog_severity" : "critical"
}
} ]
Server: logstash-2.3.2
Client: filebeat-1.2.1 and rsyslog-5.8.10
Server
/etc/logstash/conf.d/02-beats-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
filter {
if [type] == "fbsyslog" {
grok {
match => { "message" => "<%{NONNEGINT:facility}.%{NONNEGINT:syslog_pri}> %{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{GREEDYDATA:syslog_message}" }
}
syslog_pri { }
}
}
Client
/etc/filebeat/filebeat.yml
filebeat:
prospectors:
-
paths:
- /var/log/messages
document_type: fbsyslog
input_type: log
registry_file: /var/lib/filebeat/registry
output:
logstash:
hosts: [“elk.foo.com:5044"]
bulk_max_size: 1024
tls:
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]
shipper:
logging:
files:
rotateeverybytes: 10485760 # = 10MB
/etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
$template mytemplate,"<%syslogfacility%.%syslogseverity%> %timegenerated% %hostname% %programname% %msg%\n"
*.info;mail.none;authpriv.none;cron.none /var/log/messages;mytemplate
authpriv.* /var/log/secure
mail.* -/var/log/maillog
cron.* /var/log/cron
*.emerg *
uucp,news.crit /var/log/spooler
local7.* /var/log/boot.log