Unable to receive logs from multiple data sources

ThorntonStasher · May 10, 2019, 1:03am

I'm trying to get Logstash to receive logs from multiple servers. My attempt at configuring that failed. The UDP input plugin requires a string but I don't know how to implement that. I get the following error with the code shown below:

input {
udp {
port => 514
host => ["10.0.0.4", "10.0.0.6", "10.0.0.7", "10.0.0.8", "10.0.0.2"]
tags => ["AuditTrail"]
}
}

output {stdout {}}

////////////////////////////////////////

Error:
input {
udp {

This setting must be a string

Expected string, got ["10.0.0.4", "10.0.0.6", "10.0.0.7", "10.0.0.8", "10.0.0.2"]

host => ["10.0.0.4", "10.0.0.6", "10.0.0.7", "10.0.0.8", "10.0.0.2"]
...
}
}
[2019-05-10T00:58:26,277][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Something is wrong with your configuration.", :backtrace=>["/home/xxxxx/DOWNLOADS/LOGSTASH/logstash-7.0.0/logstash-core/lib/logstash/config/mixin.rb:86:in config_init'", "/home/xxxxx/DOWNLOADS/LOGSTASH/logstash-7.0.0/logstash-core/lib/logstash/inputs/base.rb:60:ininitialize'", "/home/xxxxx/DOWNLOADS/LOGSTASH/logstash-7.0.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-udp-3.3.4/lib/logstash/inputs/udp.rb:45:in initialize'", "org/logstash/plugins/PluginFactoryExt.java:255:inplugin'", "org/logstash/plugins/PluginFactoryExt.java:117:in buildInput'", "org/logstash/execution/JavaBasePipelineExt.java:50:ininitialize'", "/home/xxxxx/DOWNLOADS/LOGSTASH/logstash-7.0.0/logstash-core/lib/logstash/java_pipeline.rb:23:in initialize'", "/home/xxxxx/DOWNLOADS/LOGSTASH/logstash-7.0.0/logstash-core/lib/logstash/pipeline_action/create.rb:36:inexecute'", "/home/xxxxx/DOWNLOADS/LOGSTASH/logstash-7.0.0/logstash-core/lib/logstash/agent.rb:325:in `block in converge_state'"]}
[2019-05-10T00:58:26,521][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2019-05-10T00:58:31,589][INFO ][logstash.runner ] Logstash shut down.
-sh-4.2$

rcrc · May 10, 2019, 2:00am

It should be a string. What you provide is an array.

Badger · May 10, 2019, 12:43pm

The host option sets the address on which the udp input should listen on. It does not limit the set of hosts that can write to the input.

ThorntonStasher · May 10, 2019, 3:23pm

What is the proper syntax for adding multiple host if there is no limit for the set hosts?

Badger · May 10, 2019, 3:44pm

I do not think there is any way to give it a list of IP addresses to listen on unless you have shorthand like "0.0.0.0" (which is the default).

ThorntonStasher · May 10, 2019, 3:59pm

that is a great point. I started with 0.0.0.0 initially but then wanted to lock it down to just one IP. It's probably frowned upon to have the IP as 0.0.0.0 though. Do I need to add separate pipelines to each server that sends to logstash?

Badger · May 10, 2019, 4:21pm

I wouldn't say it is frowned upon, it is the default, after all.

You should not need separate pipelines for each sending server.

system · June 7, 2019, 4:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.