Cisco Log

mhalatuituia · March 28, 2017, 10:57am

hi i have been trying for quite some time but i cannot get it to work .... here is my config ..

file >>>>>>>> 02-beat-input.conf
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
udp {
port => 5140
type => "syslog"
}

}
file >>>>>>>>>>>>>03-cisco-filter.conf

filter {
grok {
match => { "message" => "%{CISCOFW710001_710002_710003_710005_710006 %{WORD:protocol} (?:request|access) %{CISCO_ACTION:action} from %{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}/%{INT:dst_port}" }
}
}
# Parse the syslog severity and facility
syslog_pri { }
dns {
reverse => [ "host" ]
action => "replace"
}
geoip {
source => "src_ip"
target => "geoip"
database => "/opt/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float"]
}
# do GeoIP lookup for the ASN/ISP information.
geoip {
database => "/opt/logstash/GeoIPASNum.dat"
source => "src_ip"
}
}
~
file >>>>>>>>>>>>>>10-syslog-filter.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}

}
file >>>>>>>>>>>>>> 30-elasticsearch-output.conf

output {
elasticsearch {
hosts => ["localhost:9200"]

sniffing => true

manage_template => false

index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"

document_type => "%{[@metadata][type]}"

}
stdout {
codec => rubydebug
}

}
.... i have been trying al sort of thing for quite some time but could not make it to work ...
I have several Cisco Devices which i want to send its log to this elk but i can't . i have this on my kibana which shows log is being shipped but i cant analyse base on source ip, port etc etc ...
message:<

warkolm · March 30, 2017, 1:13am

What's not working exactly?

mhalatuituia · March 30, 2017, 3:53am

Thanks Goodness Mark ...
i cannot see the log message is correctly parse i guess therefore analysed ...

warkolm · March 30, 2017, 4:26am

Where are you looking at this log message? Is it in stdout, in ES?

mhalatuituia · March 30, 2017, 6:51am

?yes

mhalatuituia · April 3, 2017, 10:17am

can anyone help my with my issue ???

system · May 1, 2017, 10:17am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.