С logstash плохо знаком. Поднял стек Logstash+Elasticsearch+Kibana
есть конфиг
root@logserver:~# cat /etc/logstash/conf.d/10-syslog.conf
input {
tcp {
port => 514
type => syslog
}
udp {
port => 514
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{
@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
На циске :
logging facility local6
logging host LOGSTASHSERVER_IP
Но пока тихо в Kibana
Простой
