How to connect cisco logging to Logstash?

C

csergey2014-10-30 13:30:56

Cisco

csergey, 2014-10-30 13:30:56

I am new to logstash. Raised the stack Logstash + Elasticsearch + Kibana
there is a config
[email protected]:~# cat /etc/logstash/conf.d/10-syslog.conf
input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?: \[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{ @timestamp }" ]
add_field =>
}
syslog_pri { } date
{
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm: ss " ]
}
}
} Kibana

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

B

brutal_lobster, 2014-10-31
@brutal_lobster

There can be many reasons - starting with the fact that output - elasticsearch is not specified in the config, ending with the fact that es cannot parse some field (timestamp, for example).
Well, it would be nice to make sure that the syslog reaches the server :)
In any case, you must first enable logstash and elasticsearch logging and try to debug the filter with output stdout, for example.
+ look at grokdebug.herokuapp.com

A

Anatoly, 2015-01-30
Ivashina @tiv

From the Logstash side, most likely there is no right to use port 514, try changing it to something else, for example 5140, or run the logstash daemon as root.