I'm trying to setup centralized logging with Logstash, Elasticsearch and Kibana and am having trouble getting logs to my log server.
Logstash is listening on TCP 5000 and is successfully receiving logs from one of my servers but not the rest. I can telnet to my log server on 5000 and Logstash is picking up the messages so I believe the issues is with rsyslog sending the logs.
I'm on CentOS 6.5 and have added the following to /etc/rsyslog.conf:
$WorkDirectory /var/lib/rsyslog # where to place spool files
*.* @@logs.<domain_removed>.com:5000
rsyslog restarted with no errors after making the change but nothing is being received by Logstash. The spool directory is empty so I don't believe their are send failures.
May 16 20:46:10 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x- pid="5097" x-info="http://www.rsyslog.com"] exiting on signal 15.
May 16 20:46:10 kernel: imklog 5.8.10, log source = /proc/kmsg started.
May 16 20:46:10 rsyslogd: [origin software="rsyslogd" swVersion="5.8.10" x-pid="3556" x-info="http://www.rsyslog.com"] start
Any ideas on how I can track down the error?
EDIT: This issue was caused by SELinux
Best Answer
SELinux was blocking rsyslog from sending on port 5000. By default SELinux only allowes rsyslog to send traffic on UDP 514.
I added an exception to SELinux with: