Syslog type

Elastic Stack Beats
1

Hi,

From the newest version of filebeat the syslog type has been removed.
If I compare the log from logstash as syslog format to the filebeat log format the following things are missing from the log which is obvious because we don't use syslog we don't have the option.

“type”: “syslog”,
“syslog_severity_code”: 5,
“syslog_facility_code”: 1,
“syslog_facility”: “user-level”,
“syslog_severity”: “notice”,

I've already read about this:
https://www.elastic.co/guide/en/beats/filebeat/current/configuration-logging.html

And tried as well but I couldn't see the syslog fields.

This is what I've tried:

    #================================ Logging =====================================
    # Sets log level. The default log level is info.
    # Available log levels are: error, warning, info, debug
    logging.level: info
   
    # At debug level, you can selectively enable logging only for some components.
    # To enable all selectors use ["*"]. Examples of other selectors are "beat",
    # "publish", "service".
    #logging.selectors: ["*"]
    
    logging.to_syslog: true
    logging.json: true

Is there any way to get back the syslog option or somehow make this work? Does it need a separated file or doest it need the syslog running as a service on the machine?

Thank you

2

Hi,

Does this help: https://www.elastic.co/guide/en/beats/filebeat/master/filebeat-input-syslog.html

3

They don't have the syslog type anymore in the newest version.

4

Are you trying to log to syslog or read logs from syslog?

5

Hello,

Maybe I understand the logic differently?
Based on your comment it sounds for me that I need a running syslog on the server and I should read from that logs?

I worked with syslog before a lot and in syslog-ng it works like:
On the client you can set which formatted log you want to send like BSD or IETF and the server (receiver) has to receive it in the same format.

In the logstash forwarder before they had the type syslog and it sends the syslog fields.
In the new version of the filebeat I can not set syslog type so when the logs arrive to the let's say indexer server it lost the syslog fields.

6

Why not just send syslog directly to Logstash listening on a UDP input?

This can help you get started...

7

The part I'm not sure yet is if you confuse some products. There is Logstash and Filebeat. Before there was also logstash-forward which became filebeat but nothing really changed from a syslog perspective as the only feature it supported in the past was logging to syslog and still does. Soon filebeat will have support for reading from syslog.

So are you trying to send the logs which are created by Filebeat to syslog?

8

I'd like to send the logs (messaged and secure) with filebeat to a logstash indexer and the indexer will forward the message to elastic search. I want to keep the syslog fields that I mentioned in my topic description.

9

So use filebeat to send the message to Logstash, and use Logstash to process the message and generate those fields. You will need to use grok to pull the priority off the message, and the syslog_pri filter to genrate those fields.

Using the repo that I provide as a basis, you should be able to easily adapt it to use a filebeat input instead of raw UDP.

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.