How does Logstash integrate with Syslog?

2
votes

I'm trying to figure out how Logstash integrates with syslog. Which of the following is true:

  • Logstash itself is a bon afide syslog server (implements the syslog protocol). In this case, you configure all of your syslog client to log directly to the Logstash server via the syslog protocol. Or...
  • You configure all of your syslog client to log to a centralized syslog server (such as a machine running rsyslog), and then configure some kind of bridge between the syslog server and the Logstash server? Or...
  • Something else entirely?

I'm looking to understand the relationships between syslog client, syslog server, and Logstash.

1
sysloglogstashrsyslog

1 Answers

3
votes

If you use the syslog input on logstash (http://logstash.net/docs/1.4.0/inputs/syslog), you are setting up a TCP/UDP syslog server. That means you have to tell your clients (say log4j) where your syslog server is, or configure a syslog instance already running to forward the messages on to your logstash instance (via a *.* @host syntax in /etc/syslog.conf file).

It really depends on what your requirements are -- if you need to receive logs from a unix domain socket, you'll have to use the forwarding method or setup a file watcher to watch the /var/log/* files directly.