I would like to use Rsyslog with logstash, unfortunately I ran into a few problem.
I'm working with a Ubuntu 14.04 server and Logstash 1.4.0
If I use the syslog plugin for logstash with the port 514, there is no problem everything work find. Unfortunately, I need to have root privileges to do that and my logstash service doesn't have it, to be able to connect to port number under 1024.
So instead of giving it to him, I thought about using a different port, lets say 5514.
Here is my input for logstash
input{
syslog {
port => 5514 # use to be 514, but need root privileges
type => "syslog"
}
}
Well I thought it would work, but there is not output coming from logstash, so I did a tcpdump to check if my input where really coming.
09:02:56.275655 IP 192.168.0.158.49146 > tst-marine.5514: UDP, length 161
09:02:56.351775 IP 192.168.0.158.49146 > tst-marine.5514: UDP, length 142
09:02:56.428970 IP 192.168.0.158.49146 > tst-marine.5514: UDP, length 142
09:02:56.504834 IP 192.168.0.158.49146 > tst-marine.5514: UDP, length 142
09:02:56.509461 IP 192.168.0.158.49146 > tst-marine.5514: UDP, length 168
09:02:56.511048 IP 192.168.0.158.49146 > tst-marine.5514: UDP, length 154
I indeed have input, but I noticed something different from when I used port 514. When I use port 514, packet are reconized as SYSLOG packet, (tcpdump port 514)
09:04:35.323139 IP 192.168.0.158.35717 > tst-marine.syslog: SYSLOG daemon.notice, length: 140
09:04:35.939204 IP 192.168.0.158.35717 > tst-marine.syslog: SYSLOG daemon.notice, length: 163
09:04:35.939237 IP 192.168.0.158.35717 > tst-marine.syslog: SYSLOG daemon.notice, length: 140
09:04:35.939394 IP 192.168.0.158.35717 > tst-marine.syslog: SYSLOG daemon.notice, length: 164
09:04:35.939582 IP 192.168.0.158.35717 > tst-marine.syslog: SYSLOG daemon.notice, length: 141
So I do not know why it doesn't work. Any help on that ?
