I'm trying to ingest IOS switch logs into Elasticsearch, but I feel like I'm missing out on how this all works (I'm not a network engineer which may explain it!)
We're using Elastic cloud and Fleets Cisco IOS integration.
I think what needs to happen is:
Setup a syslog service on server A.
Configure Cisco device to send syslog data to server A.
Install the Cisco IOS integration on to Server A
Logs are collected and appear in Elasticsearch.
But I may have the wrong end of the stick with this. The Cisco IOS integration doesn't have many options, just the host and port.
If the logs are being written to disk on server A via syslog, you’ll need to use the system integration to collect them, however they wouldn’t be processed in a very useful format with this method since they won’t go through the Cisco IOS specific processing logic. We do have efforts underway to support this type of collection, but we have not yet released this.
Alternatively you can configure the Cisco IOS integration running on Server A to connect directly to the Cisco device using host and port. Is this an option for you?
Alternatively you can configure the Cisco IOS integration running on Server A to connect directly to the Cisco device using host and port. Is this an option for you?
How would I configure this? The Integration only seems to allow the setting of IP and port, which I thought meant locally on the server with the integration installed?
Currently I've configured it as follows:
Cisco device sends syslog data to Server A on port 514
Server A has Cisco IOS integration installed, set to listen on localhost:514
Confirmed Server A listening on port 514:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
filebeat 2193 root 14u IPv4 1755263 0t0 UDP localhost:syslog
Forced Syslog data send from Cisco device, tcpdump in Server A shows traffic arriving from the Cisco device.
But no data appears in Kibana. Checked agent logs, and the datastream isn't generated.
This may help, I noticed you had localhost in there, my datastream wouldn't ingest until I used the real IP of my agent host. Here's an example of what mine looks like(fake IP):
Just out of curiosity, do you get the Cisco dashboards now that you have the data coming in? I've attempted to use two different Cisco integrations and both pull in data, but neither give me a dashboard.
I'm not sure if this is the intended use of the integration, but I was able to find a way to use the data that comes in. If you navigate to Stack Management --> Data --> Index Management, you'll find that there are Indices, Data Streams, etc. built for the ios logs. For my data I had to create a Data View by going to Stack Management --> Kibana --> Data Views
From there I created a data view by choosing advanced to find hidden Indexes, attached is a screenshot of what you could setup, after that you'll see the Data View available in Discovery, then you can use the fields to make dashboards.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
