需求:logstash收到的syslog日志发往elasticsearch和深信服日志审计设备。
本以为直接写outside就可以解决问题,启动时报错,logstash默认情况下未安装logstash-output-syslog组件,需先安装此组件才能正确启动。
syslog {
facility => …
host => …
port => …
severity => …
}
启动时有如下报错:
Couldn’t find any output plugin named ‘syslog’. Are you sure this is correct? Trying to load the syslog output plugin resulted in this error: no such file to load
安装后使用下列配置文件启动即可。
input{
syslog {
type => “rsyslog”
port => 514
}
}
filter{
}
output{
elasticsearch {
hosts => [“127.0.0.1:9200”]
flush_size => 1
index => “syslog-%{+YYYY.MM.dd}”
}
syslog {
facility => [“kernel”]
host => “1.2.3.4”
port => 514
severity => [“debug”]
}
}
附logstash-output-syslog配置文件说明:
Details
appname
- Value type is string
- Default value is
"LOGSTASH"
application name for syslog message
codec
- Value type is codec
- Default value is
"plain"
The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.
facility
- This is a required setting.
- Value can be any of:
kernel,user-level,mail,daemon,security/authorization,syslogd,line printer,network news,uucp,clock,security/authorization,ftp,ntp,log audit,log alert,clock,local0,local1,local2,local3,local4,local5,local6,local7 - There is no default value for this setting.
facility label for syslog message
host
- This is a required setting.
- Value type is string
- There is no default value for this setting.
syslog server address to connect to
message
- Value type is string
- Default value is
"%{message}"
message text to log
msgid
- Value type is string
- Default value is
"-"
message id for syslog message
port
- This is a required setting.
- Value type is number
- There is no default value for this setting.
syslog server port to connect to
procid
- Value type is string
- Default value is
"-"
process id for syslog message
protocol
- Value can be any of:
tcp,udp - Default value is
"udp"
syslog server protocol. you can choose between udp and tcp
rfc
- Value can be any of:
rfc3164,rfc5424 - Default value is
"rfc3164"
syslog message format: you can choose between rfc3164 or rfc5424
severity
- This is a required setting.
- Value can be any of:
emergency,alert,critical,error,warning,notice,informational,debug - There is no default value for this setting.
severity label for syslog message
sourcehost
- Value type is string
- Default value is
"%{host}"
source host for syslog message
timestamp (DEPRECATED)
- DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
- Value type is string
- Default value is
"%{@timestamp}"
timestamp for syslog message
workers
- Value type is number
- Default value is
1
The number of workers to use for this output. Note that this setting may not be useful for all outputs.
本文链接地址: https://danteng.org/logstash-syslog-output-to-another-device/