LS not ingesting syslog
bluefangs opened this issue · 1 comments
bluefangs commented
Hi Rob,
I've installed this on a docker container, this is the current docker-compose.yaml:
version: '2'
services:
elasticsearch:
image: elasticsearch-img:6.3.2
container_name: elasticsearch-container
volumes:
- /data/elasticsearch-1/:/usr/share/elasticsearch/data
ports:
- 9200:9200 #Elasticsearch HTTP
- 9300:9300 #Elasticsearch TCP transport
network_mode: bridge
restart: always
environment:
# - cluster.name=docker-cluster
# - bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms4g -Xmx4g"
ulimits:
memlock:
soft: -1
hard: -1
logstash:
image: logstash-img:6.3.2
container_name: logstash-container
ports:
- 5000:5000 #logstash TCP input
- 514:5140 #listent to syslog on 514(host) map it to 5140(container) 541 is reserved and needs root
- 514:5140/udp #listent to syslog on 514(host) map it to 5140(container) 541 is reserved and needs root
restart: always #restarts on reboot
environment:
- "LS_JAVA_OPTS=-Xms8g -Xmx8g"
- "SYNLITE_SYSLOG_TEMPLATE_PATH=/usr/share/logstash/syslog/templates"
- "SYNLITE_SYSLOG_GROK_PATTERNS_DIR=/usr/share/logstash/syslog/patterns"
- "SYNLITE_SYSLOG_RESOLVE_IP2HOST=true"
- "SYNLITE_SYSLOG_NAMESERVER=8.8.8.8"
- "SYNLITE_SYSLOG_ES_HOSTS=elasticsearch:9200"
# - "SYNLITE_SYSLOG_ES_USER=elastic"
# - "SYNLITE_SYSLOG_ES_PASSWORD=changeme"
- "SYNLITE_SYSLOG_TCP_HOST=0.0.0.0"
- "SYNLITE_SYSLOG_TCP_PORT=514"
- "SYNLITE_SYSLOG_UDP_HOST=0.0.0.0"
- "SYNLITE_SYSLOG_UDP_PORT=514"
- "SYNLITE_SYSLOG_MSG_TIMESTAMP=true"
- "SYNLITE_SYSLOG_TZ=UTC"
network_mode: bridge
links:
- elasticsearch
depends_on:
- elasticsearch
Initially, port mapping of 514:514
made docker crib stating that permission was denied. I'm guessing this is because it's a port < 1000 and hence is previlaged. I've mapped 514:5140
within the container.
My /etc/rsyslog.conf looks like below:
...
...
# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")
# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")
...
...
I'm able to see syslog being written on to /var/log/syslog
. It works when I do something like: logger -s " This is a test "
However, I do not see anyting being picked up by LS/ES. What am I missing?
Thanks
robcowart commented
I have just released a container for this solution. If you are still looking for a solution, please try it.