I want to send my rsyslogs from my client servers and use them as input in my logstash, this what I found on web:
on my client I added this lines to my rsyslog.conf :
$ModLoad imuxsock
$ModLoad imklog
# Provides UDP forwarding. The IP is the server's IP address
*.* @192.168.1.1:5040
# Provides TCP forwarding. But the current server runs on UDP
# *.* @@192.168.1.1:5040
and added this lines to my server:
# provides support for local system logging
$ModLoad imuxsock
# provides kernel logging support (previously done by rklogd)
$ModLoad imklog
# provides UDP syslog reception. For TCP, load imtcp.
$ModLoad imudp
# For TCP, InputServerRun 514
$UDPServerRun 514
# This one is the template to generate the log filename dynamically, depending on the client's IP address.
$template FILENAME,"/var/log/%fromhost-ip%/syslog.log"
# Log all messages to the dynamically formed file. Now each clients log (192.168.1.2, 192.168.1.3,etc...), will be under a separate directory which is formed by the template FILENAME.
*.* ?FILENAME
and restart my rsyslog on both client and server, then in my logstash I described my input like this:
input {
tcp {
port => 5040
type => syslog
}
udp {
port => 5040
type => syslog
}
}
but it doesn't do anything, and when I do control + C it show me this error:
SIGINT received. Shutting down the pipeline. {:level=>:warn}
UDP listener died {:exception=>#<IOError: closed stream>, :backtrace=>["org/jruby/RubyIO.java:3682:in `select'", " ...
I even use syslog as input in my logstash, but the result was the same.
input {
syslog {
port => 5040
type => syslog
}
}
and this the output part of my logstash:
output {
stdout { }
solr_http {
solr_url => "http://localhost:8983/solr/logstash_logs"
}
}
what should I do to fix it?
The problem was because of my firewalld and iptables! After I disabled them, everything work as suppose to work!
systemctl disable firewalld.service
systemctl disable iptables.service