Syslog output plugin configuration

kkomv · July 27, 2015, 9:28pm

Please help in configuring sylog output plugin

I keep getting the below error while starting logstash -

TypeError: can't convert nil into String
+ at org/jruby/RubyString.java:1172
receive at /logstash-1.5.2/vendor/bundle/jruby/1.9/gems/logstash-output-syslog-0.1.4/lib/logstash/outputs/syslog.rb:127
handle at /logstash-1.5.2/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.2.2-java/lib/logstash/outputs/base.rb:88
output_func at (eval):27
outputworker at /logstash-1.5.2/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.2.2-java/lib/logstash/pipeline.rb:243
start_outputs at /logstash-1.5.2/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.2.2-java/lib/logstash/pipeline.rb:165

Below is the logstash conf file.

input {
redis {
host => "127.0.0.1"
port => "7999"
data_type => "list"
key => "logstash"
codec => json
}
}

output {
elasticsearch {
cluster => "cluster"
host => "127.0.0.1"
port => "9200"
protocol => "http"
index => "logstash-%{+YYYY.MM.dd.HH}"
}
syslog{
host => "127.0.0.1"
port => 514
facility => "local0"
severity => "informational"
appname => "LOGSTASH"
procid => "123"
msgid => "456"
sourcehost => "localhost"
}
}

warkolm · July 27, 2015, 10:59pm

port => "514" - change that and try again.

kkomv · July 28, 2015, 12:43am

It still shows me the same error ,event after enclosing the port number in "". Not sure what other configuration is missing here.

suyograo · July 28, 2015, 6:03am

@kkomv thats weird, you seem to have all the configs right. Can you remove the redis input and try with a stdin input and enter a message?

basically:

input { 
   stdin { }
}

ouptut {
   syslog{
host => "127.0.0.1"
port => 514
facility => "local0"
severity => "informational"
appname => "LOGSTASH"
procid => "123"
msgid => "456"
sourcehost => "localhost"
}
}

mberger · July 31, 2015, 10:26am

Hi,
I am having the same problem using the syslog-output plugin. Logstash is collection syslog-messages from a lot of servers and I'd like to forward some lines to another one.

output {
  elasticsearch { host => localhost }
  if [type] == "syslog" and "_grokparsefailure" in [tags] {
    file { path => "/var/log/logstash/syslog_failed_events-%{+YYYY-MM-dd}" }
  }
  if [type] == "syslog" and "exim" in [syslog_program] {
    file { path => "/tmp/exim-out-%{+YYYY-MM-dd}" }
    syslog {
      facility => "mail"
      severity => "informational"
      host => "212.33.32.231"
      port => 514
    }
  }
}

The file output works fine and looks like this:

{"@version":"1","@timestamp":"2015-07-31T10:06:18.000Z","host":"192.168.224.32","type":"syslog","syslog_pri":"22","syslog_timestamp":"Jul 31 12:06:18","syslog_hostname":"so03","syslog_program":"exim","syslog_pid":"25317","syslog_message":"2015-07-31 12:06:18 TLS error on connection from [192.168.224.241] (SSL_accept): error:00000000:lib(0):func(0):reason(0)","tags":["Syslog","TS","exim error"],"received_at":"2015-07-31T10:06:18.000Z","syslog_severity_code":6,"syslog_facility_code":2,"syslog_facility":"mail","syslog_severity":"informational","exim_tlserror":"on connection from [192.168.224.241] (SSL_accept): error:00000000:lib(0):func(0):reason(0)"}

Since the error is in line 128 I am wondering if there is something wrong with the conversion of "priority" to string?!

TypeError: can't convert nil into String
              + at org/jruby/RubyString.java:1172
        receive at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-syslog-0.1.4/lib/logstash/outputs/syslog.rb:128
         handle at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/outputs/base.rb:88
    output_func at (eval):416
   outputworker at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:244
  start_outputs at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.3-java/lib/logstash/pipeline.rb:166

Thanks for your help!

magnusbaeck · July 31, 2015, 2:55pm

Your message is missing a message field and the syslog output requires it to be present. This is however not documented and the error mode when the field is missing is obviously less than perfect. I've filed issue #11 to improve this. I noted that someone else was bitten by the exact same thing earlier today (issue #10).

Perhaps you can simply rename your syslog_message field to message?

kkomv · July 31, 2015, 7:02pm

Thanks @magnusbaeck , it's now working once I added the message field.

mberger · August 3, 2015, 8:33am

Thanks @magnusbaeck , my setup is now working as well!