How to configure a Filebeat syslog input

Feeding network syslog into a central pipeline keeps appliance, network, and server messages searchable in one place instead of leaving them on separate devices or relay hosts. A dedicated Filebeat syslog listener is still useful when an existing deployment already expects Filebeat to receive and decode those events before forwarding them to Elasticsearch or Logstash.

The dedicated syslog input in Filebeat opens a UDP, TCP, or Unix-domain listener, parses RFC 3164 or RFC 5424 messages, and publishes the resulting events through the normal output pipeline. Current releases still validate type: syslog configurations, and options such as format, timezone, and protocol-specific max_message_size settings control how the listener interprets incoming messages.

Elastic deprecated the dedicated syslog input in 8.14.0 and recommends a plain tcp or udp input with the syslog processor for new builds, so this workflow is best for existing configs or environments that have not migrated yet. Binding to 0.0.0.0 exposes the listener on every interface, the traditional syslog port 514 can conflict with local daemons and privileged-port rules, and a valid output plus a successful config test are both required before the filebeat service can stay healthy after a restart.

Steps to configure a Filebeat syslog input:

  1. Create a backup of the current Filebeat configuration before changing the input list. 
    $ sudo cp /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.bak
  2. Open the Filebeat configuration file with elevated privileges. 
    $ sudoedit /etc/filebeat/filebeat.yml
  3. Add a dedicated syslog input under filebeat.inputs with the listening address, parser format, and protocol settings required by the senders. 
    filebeat.inputs:
  - type: syslog
    enabled: true
    format: auto
    timezone: Local
    protocol.udp:
      host: "0.0.0.0:9000"
      max_message_size: 10KiB

    Keep filebeat.inputs: defined once in /etc/filebeat/filebeat.yml, and add another - type: syslog item under the existing key when other inputs are already present.

    format: auto accepts both RFC 3164 and RFC 5424 messages, while timezone: Local fills in the local offset only when the incoming timestamp does not include one.

    Elastic deprecated the dedicated syslog input in 8.14.0 and recommends a tcp or udp input with the syslog processor for new configurations, but current Filebeat releases still validate the dedicated input for existing deployments.

    Binding to 0.0.0.0 exposes the listener on every interface. Use a firewall or a narrower bind address when only specific senders should reach the port.

    Related: How to configure a Filebeat TCP input
    Related: How to configure Filebeat processors

  4. Test the Filebeat configuration before restarting the service. 
    $ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK

    Related: How to test a Filebeat configuration

  5. Restart the Filebeat service to load the updated syslog listener. 
    $ sudo systemctl restart filebeat

    Related: How to manage the Filebeat service with systemctl in Linux

  6. Confirm the Filebeat service returned to the active state after the restart. 
    $ sudo systemctl is-active filebeat
active

    If the command returns failed or remains activating for too long, inspect journalctl -u filebeat.service before retrying the restart.

    Related: How to manage the Filebeat service with systemctl in Linux

  7. Verify the syslog listener is bound on the configured UDP port. 
    $ sudo ss -lunp | grep -F ':9000'
UNCONN 0      0                  *:9000             *:*    users:(("filebeat",pid=4412,fd=12))

    Use sudo ss -ltnp instead when the input uses protocol.tcp instead of protocol.udp.