This short guide will look at the syslogd input for Logstash. Syslogd is a standard that defines parameters around logging and a protocol to send logs to a remote server. It’s very useful if you want to separate log generation and storage, and allows you to easily centralize log storage and analysis. This input will allow you to set Logstash up as a RFC3164 compliant syslog server.
Quick Info
Links: Source | Documentation
Version: 1.4.2
Requirements: None
The short version
Setting up Logstash as a syslog server is really simple: You don’t need to add any options to the input to get it running:
# Bare minimum input { syslog {} }
Logstash will now run as a syslog server, listening on port 514 (both TCP and UDP) of all of the machines interfaces (0.0.0.0
).
The longer version
The syslog input’s defaults are quite sane, but you might want to change the interface it’s listening on. Since only root can use ports less than 1024, you might consider changing that as well.
Custom interface and port
You can use the host
and port
settings to customize where Logstash will listen on:
# Listen on interface 192.168.1.20, port 1514 input { syslog { host => "192.168.1.20" port => 1514 } }
Custom Labels
Incoming logs will automatically be labelled with a human readable version of it’s severity and facility. You might want to use different labels than the predefined ones. Do this by setting the facility_labels
and severity_labels
settings. You need to have the same number of elements in each setting and follow the same order as the original, otherwise your labels will get mixed up:
# Custom Labels input { syslog { severity_labels => [ "DANGER!" , "BEEP BEEP, "Argh", "Something's Wrong", "Watch Out!", "Ummm", "Did you know", "I talk too much" ] } }
You can also turn this feature off by setting use_labels
to false. The severity
and facility
properties of the message will contain the severity and facility ids:
# No Labels input { syslog { use_labels => false } }
All the options
codec
– String – The codec with which incoming logs should be interpreted. Defaults to plain
.
facility_labels
– Array – The facility labels to use when use_labels
is enabled. Defaults to the RFC3164 values.
host
– String – The address your syslog server should listen on. Defaults to 0.0.0.0
.
port
– Numeric – The port your syslog server should listen on. Defaults to 514
.
severity_labels
– Array – The severity labels to use when use_labels
is enabled. Defaults to the RFC3164 values.
use_labels
– Boolean – Specify whether or not the severity
and facility
properties should be converted into human readable labels. Defaults to true
.
No hassle Logstash configs, easily available in the Logstash Config Guide. You know you want to…
Subscribe To Our Newsletter
Join our mailing list to receive the latest news and updates from our team.