Syslog Agent for ECK
This guide complements the Installing Elastic Cloud on Kubernetes (ECK) on k3s guide.
Install syslog agent
-
We will add an agent to manage the syslogs ingestion
-
In Kibana, create an agent policy
-
Management -> Fleet -> Agent policies -> Create agent policy
-
Call it Syslog Agent
-
Uncheck “Collect system logs and metrics”
-
Keep the defaults otherwise
-
When it’s created, click on the 3 dots under Actions for your new policy, and select View policy
- Note the id (it will be in a GUID format, e.g.
a8944404-e5a7-4675-b9e4-e3814e3abebb
)
- Note the id (it will be in a GUID format, e.g.
-
-
In Kibana, take note of the enrollment token for new policy:
-
Management -> Fleet -> Enrollment tokens
-
Find the Default token for your new Agent policy
-
Make note of the token secret (it will be as a Base64 string, e.g.
RWpJay1aWUJrODlFcWpQLVpWc1M6emEwOEhQZVNUNnVPQXZCSTc2SGRjQQ==
)
-
-
Create a new agent with the agent policy and enrollment token
-
Add the Syslog integration to your Syslog Agent policy
-
Management -> Fleet -> Agent policies -> Syslog Agent -> Add integration
-
Search for “Custom UDP Logs” and click Add Custom UDP Logs
-
Change the defaults:
-
Listen Address:
0.0.0.0
-
Listen Port:
5514
-
Dataset name:
syslog
-
Syslog Parsing:
enabled
-
-
Save and continue, applying to the Syslog Agent policy and deploying to the agent.
-
-
Test syslog functionality from within the cluster
# Spin up a temporary pod to run the test from kubectl run syslog-test --image=nicolaka/netshoot -it --rm --restart=Never -- bash # Send a syslog message to our syslog-agent - this will hang logger -n syslog-service.elastic-stack.svc.cluster.local -P 5514 "Test message from within the cluster"
-
Look for the message in Kibana -> Discover:
- Search for
message: "test message"
- Search for
-
-
Set up a DNS entry for your syslog endpoint
-
Traefik won’t do this for you, since syslog is a UDP endpoint
-
Find your cluster IP address:
kubectl get nodes -o jsonpath='{.items[0].status.addresses}'
-
Create a DNS A record and test it resolves
-
-
Test syslog functionality from without the cluster
- I tested from WSL on a Windows host
logger -n YOUR_DNS_A_RECORD_FROM_ABOVE -P 5514 "Test message from outside the cluster"
Configure Syslog Sources
This will be on a source-by-source basis. An example from Mikrotik: Mikrotik - Syslog with Elasticsearch