Wich log forwarder for syslog listening and output compression for a low bandwich? [resolved logstash and GELF output]

piellick · January 16, 2019, 10:35am

Hi eveyrone,

need advise for chosing a log forwarder who can listening syslog and have an output who can compress and forward to graylog.

Logstah have a syslog input and GELF output but no information about compression

https://www.elastic.co/guide/en/logstash/current/plugins-outputs-gelf.html

SSL support is not an obligation.

Thanks

macko003 · January 17, 2019, 11:03pm

here is some information about GELF, all information what you need.

http://docs.graylog.org/en/2.5/pages/gelf.html

I wouldn’t use UDP only for compression.

Maybe beats output?
https://www.elastic.co/guide/en/beats/filebeat/current/logstash-output.html

piellick · January 22, 2019, 11:36am

Thanks @macko003.
i have choose a different solution, using logstash with GELF Output and it’s works well.

There is an exemple for the community of a logstash configuration file for listening syslog and compress it with GELF thought UDP :

input {
  udp {
    port => 514
    type => "syslog"
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
gelf {
        host => "GRAYLOG IP"
        port => 514
    }
}

just need to install the GELF output plugin for logstash by :

logstash-plugin install logstash-output-gelf

macko003 · January 22, 2019, 11:52am

ok, but you wrote

Based on the docs, GELF over TCP doesn’t support compression.

http://docs.graylog.org/en/2.5/pages/gelf.html

The Graylog Extended Log Format (GELF) is a log format that avoids the shortcomings of classic plain syslog:

        Limited to length of 1024 bytes – Not much space for payloads like backtraces
        No data types in structured syslog. You don’t know what is a number and what is a string.
        The RFCs are strict enough but there are so many syslog dialects out there that you cannot possibly parse all of them.
        No compression

piellick · January 22, 2019, 11:56am

Yes you right,

but by default UDP is using on logstash GELF output .

https://www.elastic.co/guide/en/logstash/current/plugins-outputs-gelf.html#plugins-outputs-gelf-protocol

system · February 5, 2019, 11:56am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GELF UDP plugin configuration Graylog Central (peer support)	4	774	March 26, 2019
How to configure graylogs from logstash output Graylog Central (peer support)	3	9264	March 12, 2019
Logstash Output to Graylog 3.0 (Can't search message) Graylog Central (peer support)	3	2536	May 24, 2019
Forwarding Application logs to graylog using filebeat and logstash Graylog Central (peer support)	3	157	November 29, 2024
GELF input truncate message to 1064 bytes Graylog Central (peer support) gelf	6	655	September 27, 2023

Wich log forwarder for syslog listening and output compression for a low bandwich? [resolved logstash and GELF output]

Related topics