Split logwatch outpup for Graylog

Arethusa · May 21, 2019, 2:28pm

Hello,

This is my configuration:

On graylog I have 2 Inputs, one for all Linux servers, and one for all Windows servers:

On Logstash, I have 2 configurations file (one for linux (syslog) and one for windows (beat))

[root@ELK conf.d]# cat syslog.conf
        input {
           tcp {
            port => 1514
            type => syslog
          }
          udp {
            port => 1514
            type => syslog
          }
         }
        output {
            gelf {
              host => "192.168.1.206"
              port => 10000
           }
          }

and

[root@ELK conf.d]# cat beat.conf
input {
  beats {
    port => 5000
#codec => "json"
  }
 }
 output {
  gelf {
  host => "192.168.1.206"
  port => 12201
  }
 }

On Linux server I have: (rsyslog.conf)

*.* @@192.168.1.210:1514

On Windows server I have: (winlogbeat.yml)

  winlogbeat:
        registry_file: C:/ProgramData/winlogbeat/.winlogbeat.yml

    event_logs:
      - name: Application
      - name: Security
      - name: System

  #----------------------------- Logstash output --------------------------------
  output.logstash:

    hosts: ["192.168.1.210:5000"]

  logging:
    to_files: true
    files:
      path: C:/ProgramData/winlogbeat/Logs
    level: info

And that works good BUT, I receive the logs go on the TWO Graylog’s inputs!!
On a Linux server, If I do “logger TEST LOGSTASH”, I have the same log x 2, One by Graylog’s Input!

log )

How Can I fix that?

Thank you for reading

jan · May 22, 2019, 6:10am

if you expand the message you see in what indices that message is stored and what input received the message - this way you can debug what happens.

edit: I’m not a Logstash pro - but as you do not have any tags in your configuration the messages will be send to all outputs that are configured. So you seng the message twice from logstash. Change the configuration to include tags and it should work.

Arethusa · May 22, 2019, 7:34am

Hello,

That works:

For the Linux logs:

input {
  tcp {
    port => 1514
    type => syslog
 tags => ["linux"] # <--------tag

  }

  udp {
    port => 1514
    type => syslog
    tags => ["linux"] # <--------tag
  }

}

 output {
   if "linux" in [tags] { # <--------tag
  gelf {
  host => "192.168.1.206"
  port => 10000
  }
 }
}

And for windows:

input {
  beats {
    port => 5000
    tags => ["windows"]  # <--------tag

  }
 }

output {
  if "windows" in [tags] {  # <--------tag
  gelf {
  host => "192.168.1.206"
  port => 12201
  }
 }
}

Thank you.

system · June 5, 2019, 7:34am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat configuration Graylog Central (peer support) sidecar , filebeat-linux	46	49941	July 2, 2018
Send different input to the graylog using filebeats Graylog Central (peer support)	4	585	August 24, 2023
How to configure graylogs from logstash output Graylog Central (peer support)	3	9126	March 12, 2019
Send logs from Windows (Filebeat) to Graylog Graylog Central (peer support) sidecar , filebeat-linux , filebeat-windows , winlogbeat , nosendlogfblx	4	5381	June 28, 2019
Can someone tell me if I got this right? Graylog Central (peer support) sidecar , filebeat-linux , filebeat-windows , winlogbeat , nosendlogfblx	7	2416	April 21, 2020

Split logwatch outpup for Graylog

Related topics