Unable to capture some syslog with socket input

I'm unable to capture some syslog from different sources:
this is my conf:

input {
   udp {
        port => 514
   }
   tcp {
        port => 514
    }
}
filter {
}
output {
           file {
                     path => "/var/log/test.log"
               }
}

With tcpdump I see all incoming logs.

tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
10:43:59.808194 IP (tos 0x0, ttl 61, id 11296, offset 0, flags [DF], proto UDP (17), length 812)
    10.20.21.16.46059 > syslogserver.syslog: [udp sum ok] SYSLOG, length: 784
        Facility local3 (19), Severity debug (7)
        Msg:  logstamp="Aug 04 10:42:03" from=10.20.21.16 action=permitted severity=1 category=9 user=LDAP://test.local OU\=Test,DC\=Company,DC\=local/Usertest  Usertest loginID=usertest src_ip=10.22.9.19 src_port=2223 dst_host=firefox.settings.services.mozilla.com dst_port=443 bytes_out=1088 bytes_in=884 http_response=0 http_method=CONNECT http_content_…

10:45:26.090438 IP (tos 0x0, ttl 64, id 13107, offset 0, flags [DF], proto UDP (17), length 253)
    192.168.1.73.24137 > syslogserver.syslog: [udp sum ok] SYSLOG, length: 225
        Facility local7 (23), Severity alert (1)
        Msg: 127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /apache_pb.gif HTTP/1.0" 200 2326 "http://www.example.com/start.html" "Mozilla/4.08 [en] (Win98; I ;Nav)"

Only the second log are captured.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.