logstash配置syslog外发

需求：logstash收到的syslog日志发往elasticsearch和深信服日志审计设备。

本以为直接写outside就可以解决问题，启动时报错，logstash默认情况下未安装logstash-output-syslog组件，需先安装此组件才能正确启动。

syslog {

facility => …

host => …

port => …

severity => …

}

启动时有如下报错：

Couldn’t find any output plugin named ‘syslog’. Are you sure this is correct? Trying to load the syslog output plugin resulted in this error: no such file to load

安装后使用下列配置文件启动即可。

input{

syslog {

type => “rsyslog”

port => 514

}

}

filter{

}

output{

elasticsearch {

hosts => [“127.0.0.1:9200”]

flush_size => 1

index => “syslog-%{+YYYY.MM.dd}”

}

syslog {

facility => [“kernel”]

host => “1.2.3.4”

port => 514

severity => [“debug”]

}

}

附logstash-output-syslog配置文件说明：

Details

appname

• Value type is string
• Default value is "LOGSTASH"

application name for syslog message

codec

• Value type is codec
• Default value is "plain"

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

facility

• This is a required setting.
• Value can be any of: kernel, user-level, mail, daemon, security/authorization, syslogd, line printer, network news, uucp, clock, security/authorization, ftp, ntp, log audit, log alert, clock, local0, local1, local2, local3, local4, local5, local6, local7
• There is no default value for this setting.

facility label for syslog message

host

• This is a required setting.
• Value type is string
• There is no default value for this setting.

syslog server address to connect to

message

• Value type is string
• Default value is "%{message}"

message text to log

msgid

• Value type is string
• Default value is "-"

message id for syslog message

port

• This is a required setting.
• Value type is number
• There is no default value for this setting.

syslog server port to connect to

procid

• Value type is string
• Default value is "-"

process id for syslog message

protocol

• Value can be any of: tcp, udp
• Default value is "udp"

syslog server protocol. you can choose between udp and tcp

rfc

• Value can be any of: rfc3164, rfc5424
• Default value is "rfc3164"

syslog message format: you can choose between rfc3164 or rfc5424

severity

• This is a required setting.
• Value can be any of: emergency, alert, critical, error, warning, notice, informational, debug
• There is no default value for this setting.

severity label for syslog message

sourcehost

• Value type is string
• Default value is "%{host}"

source host for syslog message

timestamp (DEPRECATED)

• DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
• Value type is string
• Default value is "%{@timestamp}"

timestamp for syslog message

workers

• Value type is number
• Default value is 1

The number of workers to use for this output. Note that this setting may not be useful for all outputs.

本文链接地址: logstash配置syslog外发