1

I want my local instance of Logstash to forward syslog and all /var/log/* files to a remote, central instance of Logstash.

The pipeline in /etc/logstash/conf/logstash-local.conf looks as follows:

input {
 file {
 type => "syslog"
 path => [ "/var/log/*.log", "/var/log/syslog" ]
 }
}
output {
 stdout { codec => rubydebug }
 tcp {
 host => "logging.example.com"
 port => 5000
 }
}

When I try and execute logger "foo", the event is logged to the local syslog, but it is not found in my remote Logstash. Neither are other events from syslog.

Things I tried:

  • The local Logstash reports in its log file that the pipeline is running correctly
  • I connected with telnet to the remote server, and verified direct input is correctly processed
  • Permissions were locally changed to grant user Logstash membership in the adm group

Everything looks perfect... but it does not work! :)

0xF2
  • 187
  • 8

1 Answers1

2

If you haven't made sure of it, the tcp {} output uses the json codec for transmissions. If your receiving side isn't expecting that, you'll get a lot of not much of anything. Other than that, the config you have looks solid. No filters on outputs, so everything should go to both.

In terms of debugging, when it launches check your network statistics to see if a TCP connection is trying to be opened to your remote. Something stuck in SYN_SENT is a sign of something other than Logstash being the problem here. If you're still not getting that connection opened, it's probably worth launching logstash with a system-call tracer like strace (Linux systems) or procmon (Windows systems) to see what happens to the connection-creation call.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296