Instructions for logstash (#10252)

* Instructions for logstash How to configure logstash to send syslog to LibreNMS * remove silly ssh syntax tags * Fixed date formatting issue for afternoon times
2024-10-07 16:52:45 +00:00 · 2019-05-24 05:36:36 -07:00
parent a9fef6eb9a
commit 38bbf0b55b
1 changed files with 43 additions and 3 deletions
--- a/doc/Extensions/Syslog.md
+++ b/doc/Extensions/Syslog.md
@@ -105,7 +105,7 @@ service syslog-ng restart

 Add the following to your LibreNMS `config.php` file to enable the Syslog extension:

-```ssh
+```php
 $config['enable_syslog'] = 1;
 ```

@@ -115,7 +115,7 @@ If you prefer rsyslog, here are some hints on how to get it working.

 Add the following to your rsyslog config somewhere (could be at the top of the file in the step below, could be in `rsyslog.conf` if you are using remote logs for something else on this host)

-```ssh
+```
 # Listen for syslog messages on UDP:514
 $ModLoad imudp
 $UDPServerRun 514
@@ -123,7 +123,7 @@ $UDPServerRun 514

 Create a file called something like `/etc/rsyslog.d/30-librenms.conf` containing:

-```ssh
+```
 # Feed syslog messages to librenms
 $ModLoad omprog

@@ -151,9 +151,49 @@ If your rsyslog server is recieving messages relayed by another syslog server, y

 Add the following to your LibreNMS `config.php` file to enable the Syslog extension:

+```php
+$config['enable_syslog'] = 1;
+```
+
+#### logstash
+
+If you prefer logstash, and it is installed on the same server as LibreNMS, here are some hints on how to get it working.
+
+First, install the output-exec plugin for logstash:
+
+```bash
+/usr/share/logstash/bin/logstash-plugin install logstash-output-exec
+```
+
+Next, create a logstash configuration file (ex. /etc/logstash/conf.d/logstash-simple.conf), and add the following:
+
+```
+input {
+syslog {
+    port => 514
+  }
+}
+
+
+output {
+        exec {
+        command => "echo `echo %{host},,,,%{facility},,,,%{priority},,,,%{severity},,,,%{facility_label},,,,``date --date='%{timestamp}' '+%Y-%m-%d %H:%M:%S'``echo ',,,,%{message}'``echo ,,,,%{program} | sed 's/\x25\x7b\x70\x72\x6f\x67\x72\x61\x6d\x7d/%{facility_label}/'` | sed 's/,,,,/||/g' | /opt/librenms/syslog.php &"
+        }
+        elasticsearch {
+        hosts => ["10.10.10.10:9200"]
+        index => "syslog-%{+YYYY.MM.dd}"
+        }
+}
+```
+
+Replace 10.10.10.10 with your primary elasticsearch server IP, and set the incoming syslog port. Alternatively, if you already have a logstash config file that works except for the LibreNMS export, take only the "exec" section from output and add it.
+
+Add the following to your LibreNMS `config.php` file to enable the Syslog extension:
+
 ```ssh
 $config['enable_syslog'] = 1;
 ```
+
 #### Syslog Clean Up 
 Can be set inside of  `config.php`
 ```php