I have a situation where I want to receive UDP traffic on two different ports on the same machine (two different services) and would like to avoid double sending of data.
So, this is the idea:
(rsyslog client) ----(network)---> (10540 rsyslog and 11540 logstash)
rsyslog and logstash are on the same machine.
I need something in front of those two services that could serve them both with the same data. Ideally this would be located on the same machine as mentioned services. Something like L4 balancer that can send all data to multiple destinations or some kind of port mirroring mechanism. Or anything else that could serve the purpose.
The reason for this is that I'm collecting linux audit logs, and want to save some of them to Graylog (using logstash) and other to the filesystem. I've tried to do that with logstash but it messes with format of logs stored on disk and they are not readable for aureport, ausearch and ausummary tools.
Haven't found a way to fix the format whitin logstash to be readable by those tools.
I'm using CentOS7. I don't have access to network devices.
Thanks for your suggestions.
With rsyslog you can use the omfwd module to send the logs to logstash. Add something like this to your rsyslog server (not the client):