Robert's blog

Logstash collects data and sends it to Elastic

Robert Hammett's photo
Robert Hammett
·

2 min read

Table of contents

I called this post "Logstash collects data and sends it to Elastic" not because I'm prepared to show anyone how to make that happen but because, in this post, I'm going to learn whether that's true. I believe this is where my biggest gap in understanding the Elk stack exists. I have Elastic and Kibana setup well enough to get positive feedback from the previous curl -X GET commands but haven't yet seen my switch's syslog data "arrive" at the VM.

Lab environment

I'm going to do my best to keep references to my lab/test environment consistent.

  • 192.168.130.101 - My workstation
  • 192.168.160.103 - The VM
  • 192.168.101.27 - Aruba switch

If I run tcpdump host 192.168.101.27, I don't expect to see the syslog data the switch should be forwarding to the VM. So, there are two tests there. Is my switch forwarding logs appropriately? I suspect so and am not really sure how to test without addressing the second. Is the VM listening for the switch logs? Let's install Logstash.

I ran sudo apt install logstash but got quickly lost in the blog posts I was following. It appears that there are many ways once could configure Logstash but I'm curious to know how to configure it to receive syslog data.

I do see this from time-to-time while running tcpdump: IP siem > 192.168.101.27: ICMP siem udp port syslog unreachable, length 224. If I were wise, I'd spend some time on this but suspect it means, "something at 192.168.101.27 is trying to send Syslog data but we're not listening".

I checked out the Syslog input plugin but feel like I'm missing something. This looks like good info for someone who already has a clue as to what they're doing.

Found best description yet - RTFM - Learned where logstatsh's logs are elastic.co/guide/en/logstash/current/logsta.. Found ' error in logstash-plain.log

Learned about port 514 - discuss.elastic.co/t/udp-listener-died-sysl.. Changed my conf file to an arbitrary port number 5514 - bogotobogo.com/Hadoop/ELK/ELK_ElasticSearch.. Stopped seeing permission denied error Still don't know what indicies are - elastic.co/guide/en/elasticsearch/reference..

I'm now seeing

image.png

elasticsearchlogstashlearning