I have entire devices logs that are pushing to my server on port 514 and I can able to see that in tcpdump as below:
[root@localhost config]# tcpdump -i eno1 port 514 -vvvv
2:20:03.035727 IP (tos 0x0, ttl 28, id 22525, offset 0, flags [none], proto UDP (17), length 189)
10.0.1.227.syslog > localhost.localdomain.syslog: [udp sum ok] SYSLOG, length: 161
Facility local7 (23), Severity info (6)
Msg: Jun 20 19:22:01.161 UTC: 10.240.12.197:8514 764: xxxxx:Jun 20 19:22:01.161 UTC: exec[67401]: %SECURITY-LOGIN-6-CLOSE : User 'xxxxxx' logged out \0x0a
0x0000: 3c31 3930 3e4a 756e 2032 3020 3139 3a32
0x0010: 323a 3031 2e31 3631 2055 5443 3a20 2031
0x0020: 302e 3234 302e 3132 2e31 3937 3a38 3531
0x0030: 3420 3736 343a 2052 502f 302f 5253 5030
0x0040: 2f43 5055 303a 4a75 6e20 3230 2031 393a
0x0050: 3232 3a30 312e 3136 3120 5554 433a 2065
0x0060: 7865 635b 3637 3430 315d 3a20 2553 4543
0x0070: 5552 4954 592d 4c4f 4749 4e2d 362d 434c
0x0080: 4f53 4520 3a20 5573 6572 2027 4457 542d
0x0090: 4f50 5427 206c 6f67 6765 6420 6f75 7420
0x00a0: 0a
However, when I am using this below logstash config, I am unable to see the logs
input {
syslog {
type => "syslog"
}
}
output {
stdout { codec => rubydebug }
}
Even I am running logstash with the root user as ./logstash -f logstash.conf to rule out the privileged port issue.
Please help me in debugging this further.