I'm unable to capture some syslog from different sources:
this is my conf:
input {
udp {
port => 514
}
tcp {
port => 514
}
}
filter {
}
output {
file {
path => "/var/log/test.log"
}
}
With tcpdump I see all incoming logs.
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10:43:59.808194 IP (tos 0x0, ttl 61, id 11296, offset 0, flags [DF], proto UDP (17), length 812)
10.20.21.16.46059 > syslogserver.syslog: [udp sum ok] SYSLOG, length: 784
Facility local3 (19), Severity debug (7)
Msg: logstamp="Aug 04 10:42:03" from=10.20.21.16 action=permitted severity=1 category=9 user=LDAP://test.local OU\=Test,DC\=Company,DC\=local/Usertest Usertest loginID=usertest src_ip=10.22.9.19 src_port=2223 dst_host=firefox.settings.services.mozilla.com dst_port=443 bytes_out=1088 bytes_in=884 http_response=0 http_method=CONNECT http_content_…
10:45:26.090438 IP (tos 0x0, ttl 64, id 13107, offset 0, flags [DF], proto UDP (17), length 253)
192.168.1.73.24137 > syslogserver.syslog: [udp sum ok] SYSLOG, length: 225
Facility local7 (23), Severity alert (1)
Msg: 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"
Only the second log are captured.