Remote logs with syslog-ng and logstash

It has been a while since I wanted to test logstash as a central syslog-ng server. Turns out that it is dead simple. This is a quick guide so I remember about it the next time. I went for a VM on CentOS 6.3 which has syslog-ng and a few syslog-ng clients sending logs remotely via UDP. First, some considerations, my VM did require slightly more CPU and RAM than I thought it would. To have something stable, I recommend at least 2 VCPUs and 2GB of RAM. I also tested this setup with java 7.

First install and configure syslog-ng on the server, edit /etc/syslog-ng/syslog-ng.conf and add the following then restart the server’s daemon:

# note, you can use the IP of the server to bind ONLY to that socket
source s_udp {  udp(ip( port(514)); };
destination d_udp { file("/var/log/syslog/$HOST"); };
log { source(s_udp); destination(d_udp); };

Then you need to set the clients, again, install syslog-ng on them and add something like this in the same configuration file. Note that it must obviously match the IP of your server.

log {  source(s_src); destination(d_udp); };
destination d_udp {  udp("" port(514)); };

Moving onto logstash, download the latest from the main page (used 1.1.1 here) then put that in a directory (used /opt/logstash). Create a configuration file for logstash, i used /opt/logstash/logstash.conf. Mine contains pretty much what is from the quickrun guide. Note that on the syslog server /var/log/syslog must be a directory, i then receive logs from remote servers based on hostnames.

input {
  stdin {
    type => "stdin-type"

  file {
    type => "linux-syslog"
    path => [ "/var/log/*.log", "/var/log/messages", "/var/log/syslog/*" ]
output { 
   stdout { debug => true debug_format => "json"} 
   elasticsearch { embedded => true }

To start logstash, I use the following line: /usr/java/jre1.7.0_09/bin/java -jar logstash-1.1.1-monolithic.jar agent -f logstash-complex.conf — web –backend elasticsearch:///?local.

Now keep in mind that this is java, so it might take a while before the web interface becomes available. When it does, go to your server’s IP like this: then query for either of your hosts reporting logs or try the generic query on the page.

Nothing more, you have a free splunk which has so many inputs and outputs that it is almost indecent. Expect my next post on using the output to get this into graphite.

2 thoughts on “Remote logs with syslog-ng and logstash

Comments are closed.