Hello.

Tell me how to set up a collection of Syslog logs from the glands on Elasticsearch + Kibana + Logstash(ELK).
Pieces Zyxel Zywall, Eltex Tau and CentOS server.

I set up the server for this article https://www.digitalocean.com/community/tutorials/h...
And
https://blog.devita.co/2014/09/04/monitoring-pfsen...

Logging with Zyxel goes on port 514.
The output of the logs of this format
02-17-2015  15:29:07        Local1.Info     192.168.91.254  Feb 17 15:29:09 zywall- zw1100 cef: 0 | zyxel | zywall 1100 || 0 | ike | 4 | src=xxx.xxx.xxx.xxxdst=xx.xx.xx.xxspt=500 dpt=500 msg=Recv:[HASH][NOTIFY: R_U_THERE_ACK ]


But the logs never come.Looked at the logs, everything seems to be fine.I don’t know where to dig further.
Disconnected FirewallD and Selinux set SELINUX=permissive.
I successfully login to the web interface.
Actually the configs themselves for logstash
pastebin.com/wJYdNefH 01-inputs.conf
pastebin.com/CtevsM1Tlogstash.conf
pastebin.com/9aBPVzfL 10-syslog.conf
pastebin.com/ZaJqrcF9 30-outputs.conf

By the way, in htop, I do not see the logstash process, so it should be?

1 Answers 1

logstash should be :) who is going to deliver the elongated logs to elastikerc? try to add when you run logstesh -v see what will be in the console output
  • And where are your filters and parsing rules for incoming sysloga requests? www.logstash.net/docs/1.4.2/inputs/syslog – Elderly Vampire Feb 17 '15 at 12:22
  • You need to understand how this bundle works - your logshash works with a lot of filter - in this case it acts as an aggregation server of the system - it receives a standardized packet, parses them according to the rules and spits the result of parsing into elastikerc. – Elderly Vampire Feb 17 '15 at 12:25
  • I looked, Logstash starts, the CPU hangs under 100%, it drives and closes. It lasts 30 seconds.
    There is nothing in var/log/logstash.err, and the following is available in logstash.log
    {: timestamp=>"2015-02-17T16: 26: 44.496000 + 0700",: message=>" Error: Expected one of #,=>at line 129, column 17 (by ${: timestamp=>"2015-02-17T16: 26: 44.504000 + 0700", : message=>"You may be interested in the'--configtest'flag which $


    How this link works I already understood.
    I just have misunderstandings with config on Syslog.
     curl  http://localhost: 9200 {"status": 200,"name":"Silver Dagger","cluster_name":"elasticsearch","version": {"number":"1.4.3","build_hash":"36a29a7144cfde87a960ba039091d40856fcb9af","build_timestamp":"2015-02-11T14: 23: 15Z"," build_snapshot": false," lucene_version":" 4.10.3"}," tagline":" You Know, for Search"}


    But when you try
    [root @centi]/opt/logstash/bin # java -jar logstash.jar agent --configtest --config logstash.conf
    Error: Unable to access jarfile logstash.jar
    – Dracula's Fashion Feb 17 '15 at 12:47
  • what version of the logstesh is installed?
    ls -lah/opt/logstash/bin
    rpm -qi logstash
    launching the latest version without specifying the Java machine
    www.logstash.net/docs/1.4.2/tutorials/10-minute-wa ..
    – Elderly Vampire Feb 17 '15 at 13:08
  • Elderly Vampire:
    ~ logstash | ⇒ sudo bin/logstash -f /etc/logstash/conf.d/10-syslog.conf Using milestone 2 input plugin'tcp'. This plug-in should be stable, but please let you know! For more information on plugin milestones, see http://logstash.net/docs/1.4.2-modified/plugin-milestones {: level=>: warn} Using milestone 2 input plugin'udp'. This plug-in should be stable, but please let you know! For more information on plugin milestones, see http://logstash.net/docs/1.4.2-modified/plugin-milestones{: level=>: warn} Could not start TCP server: Address in use {: host=>"0.0.0.0",: port=>514,: level=> ;: error} + ----------------------------------------------- ---------- + | An unexpected error occurred. This is probably a bug. || You can find it: || || * chat: #logstash IRC channel on freenode irc. || IRC via the web: http://goo.gl/TI4Ro || * email: [email protected] || * bug system: https://logstash.jira.com/|| | + ------------------------------------------------ --------- + The error message is: Address already in use - bind - The address is already in use


    I looked at the errors: stackoverflow.com/questions/27829354/an-unexpected... here it is advised to change the port.
    – Dracula's Fashion Feb 17 '15 at 13:24
  • [[SashaSkot]]: there really was a port error. Took the config from here .2/tutorials/getting-started -... for Syslog launched syslog 10-syslog.conf config with bin/logstash -f, connected via telnet to server on port 5000 and everything worked :)
    It turns out logstash does not want to work with the main ports (22, 514, etc.)?
    – Dracula's Fashion Feb 17 '15 at 13:57
  • So if they are busy with you - how will he bind them?
    netstat -talnp | grep": 22 \ |: 514"
    on 22 hangs sssh, on 514 daemon syslog
    – Elderly Vampire Feb 17 '15 at 17:06