> > What do people do to get their syslog messages on CentOS 7 into a > > remote ELK stack. I've tried lots of things involving rsyslog, > > filebeat, redis, logstash and so on in lots of different configurations > > but nothing really works. > > > > I can get rsyslog to talk directly to logstash (acting as a syslog > > server) but the messages don't have facility or severity codes in them > > which makes it considerably more difficult to manage the messages. > > > > The section "b – Routing from rsyslog to Logstash" of the article > seems to cover a filter that needs to be added. You may have already > tried this.. but that is about all i can help with currently. > Thanks. Yes, I was trying to get rsyslog to send JSON to logstash and I have tried that template. A bit more investigation though and it turns out that the firewall on the logstash server was only letting through tcp packets and it needs udp. Now I've fixed that, they appear to be talking to each other, but it certainly doesn't seem to be logging everything. Progress of sorts! P.