logstash_syslog.conf:
input {
tcp {
port => 514
host => "127.0.0.1"
type => syslog
codec => "json"
}
}
filter {
# This replaces the host field (UDP source) with the host that generated
the message (sysloghost)
if [sysloghost] {
mutate {
replace => [ "host", "%{sysloghost}" ]
remove_field => "sysloghost" # prune the field after successfully
replacing "host"
}
}
}
output {
gelf {
sender => "%{@source_host}"
host => "10.56.130.70"
port => 12201
}
}
logstash template:
template(name="ls_json" type="list" option.json="on")
{ constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timegenerated" dateFormat="rfc3339")
constant(value="\",\"@version\":\"1")
constant(value="\",\"message\":\"") property(name="msg")
constant(value="\",\"host\":\"") property(name="fromhost")
constant(value="\",\"host_ip\":\"")
property(name="fromhost-ip")
constant(value="\",\"my_environment\":\"Development")
constant(value="\",\"my_project\":\"IPA")
constant(value="\",\"my_use\":\"Auth")
constant(value="\",\"logsource\":\"") property(name="fromhost")
constant(value="\",\"severity_label\":\"")
property(name="syslogseverity-text")
constant(value="\",\"severity\":\"")
property(name="syslogseverity")
constant(value="\",\"facility_label\":\"")
property(name="syslogfacility-text")
constant(value="\",\"facility\":\"")
property(name="syslogfacility")
constant(value="\",\"program\":\"")
property(name="programname")
constant(value="\",\"pid\":\"") property(name="procid")
constant(value="\",\"rawmsg\":\"") property(name="rawmsg")
constant(value="\",\"syslogtag\":\"") property(name="syslogtag")
constant(value="\"}\n")
}
*.* @@127.0.0.1:514;ls_json
Le mardi 25 octobre 2016 15:43:15 UTC+2, Jochen Schalanda a écrit :
>
> Hi,
>
> what kind of input did you create in Graylog and how did you configure it?
>
> I'm also not sure if you really want to have that TCP input in Logstash…
>
> FWIW, if you only want to read files and send their contents to Graylog,
> I'd recommend using Filebeat or nxlog which can both be managed via the
> Graylog Collector Sidecar.
>
>
> Cheers,
> Jochen
>
> On Tuesday, 25 October 2016 14:48:56 UTC+2, Benbrahim Anass wrote:
>>
>> yea i already saw that,
>> here is my conf
>> input {
>> tcp {
>> type => "tcp"
>> port => "12201"
>> }
>> file {
>> path => "/var/log/messages"
>> type => "rsyslog"
>> start_position => "beginning"
>> }
>> }
>>
>>
>> output {
>> gelf {
>> host => "10.56.130.70"
>> port => 12201
>> }
>> }
>>
>>
<https://lh3.googleusercontent.com/-z4M_DLKaJQ8/WBBQELalhwI/AAAAAAAAAds/7QsuKX3nMcE7ujd4FTQkhaZ3YrKD8nogQCLcB/s1600/gelf%2Breciever.png>
<https://lh3.googleusercontent.com/-jdWhRMqcIw0/WBBQe5UnFYI/AAAAAAAAAdw/FL0zyT7ore8qkgvLn7HHpn6w7RCCHSPOgCLcB/s1600/telnet.png>
logstash will allow me to use filters, that's the point from the beginning
> but i dont see any connection on the port 12201 on the graylog server.
>> the port is open, it's not that, nor the firewall
>>
>> any suggestions?
>> thanks
>>
>> Le mardi 25 octobre 2016 14:31:00 UTC+2, Jochen Schalanda a écrit :
>>>
>>> Hi,
>>>
>>> On Tuesday, 25 October 2016 13:19:51 UTC+2, Benbrahim Anass wrote:
>>>>
>>>> i'm wondering if is it possible to send logs via logstash/gelf to
>>>> Graylog2, if it is, i'm gonna need an exemple of a logstash output via GELF
>>>>
>>>
>>> Of course that's possible.
>>>
>>> See
>>> https://www.elastic.co/guide/en/logstash/2.4/plugins-outputs-gelf.html
>>> for the relevant documentation.
>>>
>>> Cheers,
>>> Jochen
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/25fe10e3-6ad4-4e29-a9c4-db85aa4a6cbf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
