Syslog not being picked up even though it's tagged 'syslog'

Elastic Stack Logstash
1

Good morning all.

I am still pretty new to the elastic stack. I've used it on small scales and it worked great, but I'm getting ready to roll out a much larger aggregation model and wanted to be sure I'm understanding why things are behaving the way they are.

I've currently got beats and syslog systems shipping to to a dev ELK stack with logstash.

I have several systems shipping syslog fine. I added a couple xen hypervisors the other day and they did not show up in the syslog index via Kibana. I checked via tcpdump and the packets were arriving so I created an else statement in the input syslog filter and sent them to a lostandfound index and voila, they are there. Otherwise they are totally normal in Kibana once I get ahold of them and they do not have a grokparsefailure tag.

When I look at them they do have a 'syslog' tag so I'm wondering why they are not being sent to the syslog index?

Below are my syslog filter and es-output.

Thanks ahead of time for any help!

SYSLOG FILTER

input {
  syslog {
     port => 1514
     tags => "syslog"
  }
}
filter {
  if [type] == "syslog" {
    mutate {
    }
    grok {
      match => [ "message", "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" ]
    }
  }
  else {
    mutate { add_tag => ["lnf"] }
  }
}
output {
  if [type] == "syslog" and "_grokparsefailure" in [tags] {
    file { path => "/var/log/failed_syslog_events-%{+YYYY-MM-dd}" }
  }
}

ES OUTPUT

output {
  if "beats" in [tags] {
    elasticsearch {
      hosts => ["x.x.x.x:9200"]
      sniffing => false
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      #index => "test1-%{+YYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
  }

  if "syslog" in [tags] {
    elasticsearch {
    hosts => ["x.x.x.x:9200"]
    sniffing => false
    index => "syslog-%{+YYYY.MM.dd}"
    }
  }

  if "esx" in [logsource] {
    elasticsearch {
    hosts => ["x.x.x.x:9200"]
    sniffing => false
    index => "esx-%{+YYYY.MM.dd}"
    }
  }

  if "lnf" in [tags] {
    elasticsearch {
    hosts => ["x.x.x.x:9200"]
    sniffing => false
    index => "lnf-%{+YYYY.MM.dd}"
    }
  }

}
2

Oddly enough the system stopped showing any logs entries the second it turned midnight. I did notice the entries are 8 hours behind in the histogram, but I'm in Ireland and those servers are in California.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.