Send events to a Syslog server

About the Logstash Syslog output plugin

This integration uses the Logstash ELK stack component and a plugin to output events logged in Logstash, and indexed in Elasticsearch, to an external Syslog server.

The plugin enables sending RFC3164 or RFC5424 -compliant messages through either the UDP or TCP transport protocol.

By default, the contents of the message field are transmitted as the free-form message text part of the emitted Syslog message.
You can edit the message field configuration in case your event messages do not include a message field, or to modify the emitted message.

You may need root-level access to run the commands to install and configure the plugin.

  • Obtain root-level access by running sudo -i:

    # Root-access login shell
    sudo -i


    To access resources as a different user than the currently active one, append -u:

    # Grant the currently logged in user root-level access
    sudo -i
     
    # Grant root-level access to a different user
    sudo -i -u ${user_name}
     
    # Run a command as a different user, with root-level access
    sudo -i -u ${user_name} ${command} ${options}

Install the plugin

By default, Logstash plugins are installed to the ../bin/logstash-plugin directory.

The bin/logstash-plugin script manages plugin lifecycle in your Logstash deployment.

To install the Syslog output plugin for Logstash on a platform instance, run the following command:

# Install the plugin
/usr/share/logstash/bin/logstash-plugin install logstash-output-syslog
 
# Install execution messages
Validating logstash-output-syslog
Installing logstash-output-syslog
Installation successful

Configure the plugin

By default, Logstash configuration files are stored in the /etc/logstash/conf.d directory.

If you want to pipeline all Logstash event log messages to a Syslog server, you can create an output.conf file with the global configuration settings.
Alternatively, you can append output parameters to a specific Logstash .conf file, after the input parameter section.

The minimum required configuration fields you should set are:

Field name

Description

id

Defines a unique ID to identify the plugin configuration.
If no ID is specified, Logstash automatically generates it.
This is particularly useful when you have two or more plugins of the same type.
For example, two syslog outputs.

host

Specifies the IP address of the Syslog server to send the Logstash output to.

port

Specifies the port of the Syslog server to send the Logstash output to.

Example

output {
syslog {
id => "eiq_platform_ext_syslog"
host => "127.0.0.1"
port => 9200
}
}

For further details about all the available configuration options for the Syslog output plugin, see Syslog Output Configuration Options.

Output configuration examples

Example of an output configuration file with global settings for the plugin:

/etc/logstash/conf.d/output.conf


output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
syslog {
id => "eiq_platform_ext_syslog"
host => "127.0.0.1"
port => 9200
}
}

Example of a configuration file defining input data sources for the logged event messages.
The configuration information to pipeline this input to a Syslog server is appended to the file, after input.

# Example file defining locations of log files storing log data related to
# platform backend, platform API, intel ingestion, and tasks.
eclecticiq-platform-api.conf


input {
file {
path => ["/var/log/eclecticiq/platform-api.log","/var/log/nginx/eclecticiq-platform-api-nginx-access.log", "/var/log/eclecticiq/intel-ingestion.log", "/var/log/eclecticiq/graph-ingestion.log", "/var/log/eclecticiq/search-ingestion.log"]
codec => "json"
tags => "platform-api"
}
 
file {
path => ["/var/log/eclecticiq/intel-ingestion.log", "/var/log/eclecticiq/graph-ingestion.log", "/var/log/eclecticiq/search-ingestion.log"]
codec => "json"
tags => "ingestion"
}
 
file {
path => ["/var/log/nginx/eclecticiq-platform-api-nginx-errors.log"]
type => "nginx-error"
tags => "platform-api"
}
 
file {
path => ["/var/log/eclecticiq/task-worker-*.log", "/var/log/eclecticiq/task-beat.log", "/var/log/eclecticiq/task-queue-analysis-listener.log", "/var/log/eclecticiq/task-queue-enrichment-listener.log"]
codec => "json"
tags => "task-workers"
}
}
 
output {
syslog {
id => "eiq_platform_ext_syslog"
host => "127.0.0.1"
port => 9200
}
}

See also