[rsyslog-notify] Forum Thread: only localhost syslogs being sent to elasticsearch/kibana - (Mode 'edit_topic')

[noreply at adiscon.com]

User: alexh 
Forumlink: http://kb.monitorware.com/viewtopic.php?p=24340#p24340

Message: 
----------
Hi-
I followed the guide located at
http://www.rsyslog.com/output-to-elasticsearch-in-logstash-format-kibana-friendly/

CentOS 6.5
 rsyslog-7.6.0-1.el6.x86_64
 rsyslog-elasticsearch-7.6.0-1.el6.x86_64
 rsyslog-mmjsonparse-7.6.0-1.el6.x86_64

I'm using Kibana to view the logs, and only the entries from the localhost
are showing up.  I pointed a remote syslog client at this server, and its
logs are indeed being received into /var/log/messages...?  I'm guessing I
just don't have rsyslog configured correctly to also ship the logs from
remote hosts to elasticsearch?

I have configured /etc/rsyslog.conf as follows:

[code]module(load="imuxsock") # provides support for local system logging
(e.g. via logger command)
module(load="imklog")   # provides kernel logging support (previously done
by rklogd)

module(load="imudp") # needs to be done just once
input(type="imudp" port="514")
module(load="imtcp") # needs to be done just once
input(type="imtcp" port="514")

$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.info;mail.none;authpriv.none;cron.none                /var/log/messages
authpriv.*                                              /var/log/secure
mail.*                                                  /var/log/maillog
cron.*                                                  /var/log/cron
*.emerg                                                 :omusrmsg:*
uucp,news.crit                                          /var/log/spooler
local7.*                                                /var/log/boot.log

[/code]

I also have /etc/rsyslog.d/es.conf:

[code]template(name="logstash-index"
  type="list") {
    constant(value="logstash-")
    property(name="timereported" dateFormat="rfc3339" position.from="1"
position.to="4")
    constant(value=".")
    property(name="timereported" dateFormat="rfc3339" position.from="6"
position.to="7")
    constant(value=".")
    property(name="timereported" dateFormat="rfc3339" position.from="9"
position.to="10")
}
template(name="plain-syslog"
  type="list") {
    constant(value="{")
      constant(value="\"@timestamp\":\"")     property(name="timereported"
dateFormat="rfc3339")
      constant(value="\",\"host\":\"")        property(name="hostname")
      constant(value="\",\"severity\":\"")   
property(name="syslogseverity-text")
      constant(value="\",\"facility\":\"")   
property(name="syslogfacility-text")
      constant(value="\",\"tag\":\"")   property(name="syslogtag"
format="json")
      constant(value="\",\"message\":\"")    property(name="msg"
format="json")
    constant(value="\"}")
}
action(type="omelasticsearch"
    template="plain-syslog"
    searchIndex="logstash-index"
    dynSearchIndex="on")
[/code]


Thanks!