Unable to split message received on TCP port into individual records

Hi everyone,

I'm sending some network logs from RSA Netwitness SIEM to a logstash server over TCP on port 5515.
Currently logstash is not able to separate the incoming data into separate records, its considering the entire stream as a single record.

When I tried to listen on same port with Rsyslog, each record is available in proper format. So it seems to be an issue with logstash

Please find below one sample conf file I've been testing

input {
tcp {
host => "0.0.0.0"
port => 5515
type => "syslogType"
}
}
output { codec => "rubydebug" }

With this conf, it's not printing anything on console until we take logstash restart.
Once logstash is restarted, it will immediately display all the records received into a single message.

Currently I'm using 6.5.4 version of logstash, but I'm facing same issue with
7.5.2 as well
Kindly let me know if any one of you have faced this before or have any suggestions for me

Thank You!!!

A tcp input creates one event for each line of text. If your messages do not contain a newline it will not flush them until it is stopped.

Hi Badger,

Thank you for your response.
We do see that Rsyslog is able to able to interpret new records and logstash is not, on the same port
Can you please let me know what else can be done to make this work ?

Hi Badger,

We are still trying to debug this issue.
Can you please suggest any alternatives that we can try out?

Thanks !!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.