Streaming data from Logstash to your HLA instanceSummaryThis article explains how to enable streaming data from Logstash to your HLA Servicenow instance. ReleaseHealth Log Analytics is required to be provisioned and application must be installed prior to any steps described in this article. HLA is available starting from Family Release Quebec and later.InstructionsNOTE: a mid server must be installed and verified prior to the following steps: Start by navigating to the Data Input screen in the HLA application 1. Select the TCP Data input and fill in the mandatory fields in order to open a TCP socket data-input (listener) on the desired port on HLA. Make sure you select a port that is available (free) on your Mid server. You may need to create a NEW application service as a fallback association for all events coming in to this port. (This can be changed later using the Data Input Mapping script) Once you have Submitted the NEW Data Input, and it has been created successfully, it is time to validate connectivity between your Logstash and the Mid server: 2. Validate connectivity between the Logstash node and the MID over the relevant port, using the following telnet command:telnet <MID_SERVER_HOST> PORTNUMBER 3. Verify your Logstash currently supports the "syslog" output plugin, by running: bin/logstash-plugin list --group outputIf "syslog" is not there, please run the following command to install it:bin/logstash-plugin install logstash-output-syslog 4. Configure the Logstash conf file to add a Syslog output for the desired input (if necessary, add an if condition on the output to only apply for the relevant inputs), and fill in the "host" and "port" output details:output { syslog { host => "<MID_SERVER_HOST>" port => PORTNUMBER protocol => "tcp" }}By default, Logstash will wrap the log-stream with a syslog-header (syslog rfc format: rfc3164), which will add the Logstash streaming details (Logstash host, and "program"/source) - those are mostly irrelevant and should be overridden with the data's original metadata. That can be configured and customized, as described in Logstash - Syslog output plugin, to ensure the shipping of the original logs' metadata, such as their source, host, and application properties. Note: for accurate anomaly detection and correct detections event logs original metadata is necessary. Please make sure this information is being sent with the logs.