How to configure a Filebeat syslog input

Feeding network syslog into a central pipeline makes it easier to search, alert, and retain logs from switches, firewalls, appliances, and servers in one place. Using Filebeat as the listener removes the need for a separate syslog relay when events are shipped onward to the configured output.

The syslog input starts a listener on a chosen UDP or TCP port and decodes incoming messages into structured fields. Parsing supports common syslog variants such as RFC 3164 and RFC 5424, then the resulting events follow the normal Filebeat publishing path.

A bind address of 0.0.0.0 accepts traffic on all interfaces, so firewall and network scoping prevents unwanted ingestion and log spam. The traditional syslog port 514 is frequently occupied by local daemons like rsyslog or syslog-ng and can require elevated privileges, so a high port (for example 9000) avoids conflicts. The Filebeat service must be running with a valid output configuration, otherwise the listener will not stay active.

Steps to configure a Filebeat syslog input:

Open the Filebeat configuration file.
```
$ sudo nano /etc/filebeat/filebeat.yml
```
Add a syslog input with a UDP listener.
```
filebeat.inputs:
  - type: syslog
    enabled: true
    format: rfc3164
    timezone: Local
    protocol.udp:
      host: "0.0.0.0:9000"
```
Set format to rfc5424 for RFC5424 senders. Adjust timezone when parsing RFC3164 timestamps without an explicit offset.

Some Filebeat releases deprecate the syslog input. A migration path avoids surprise removals during upgrades.
Test the configuration for errors.
```
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml
Config OK
```
Related: How to test a Filebeat configuration
Restart the Filebeat service.
```
$ sudo systemctl restart filebeat
```
Related: How to manage the Filebeat service with systemctl in Linux

Confirm the Filebeat service is running.

$ sudo systemctl status filebeat --no-pager
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
     Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-01-06 22:18:15 UTC; 5s ago
##### snipped #####

Verify the UDP listener is active.

$ sudo ss -lunp | grep -F ':9000'
UNCONN 0      0                  *:9000             *:*    users:(("filebeat",pid=7932,fd=8))

Replace grep -F with rg on systems that have ripgrep.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.