Forward log to siem

elk2 · August 7, 2018, 4:08pm

I would like to forward syslog from many device cisco to a siem using logstash.
I tried to use syslog plugin but logstash insert a message into log and don't forward only the syslog message.

this is the part of logstash config output:
output{
syslog {
facility => ["syslogd"]
host => ["192.168.1.90"]
port => 514
severity => ["notice"]
}
}

this is the syslog that logstash receive
Msg:<14>Aug 07 17:58:06 accesslog: Info: 1533657485.836 222 10.54.5.1 TCP_CLIENT_REFRESH_MISS/200 306 GET http://google.com:443/ <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",11.03,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> - 51.14.141.128\0x0a

This is the syslog that logstash forward:
Msg: Aug 07 15:58:06 %{host} LOGSTASH[-]:<14>Aug 07 17:58:06 accesslog: Info: 1533657485.836 222 10.54.5.1 TCP_CLIENT_REFRESH_MISS/200 306 GET http://google.com:443/ <-,-,-,"-",-,-,-,-,"-",-,-,-,"-",-,-,"-","-",-,-,-,-,"-","-","-","-","-","-",11.03,0,-,"-","-",-,"-",-,-,"-","-",-,-,"-"> - 51.14.141.128\0x0a

As you can see logstash insert

Aug 07 15:58:06 %{host} LOGSTASH[-]

I would like to forward the first original syslog

Badger · August 7, 2018, 4:29pm

Specify a codec with a format. For example,

output {
    syslog {
         codec => plain { format => "%{message}" }
    ...

elk2 · August 8, 2018, 7:17am

Don't work. I have the same result with your config.

elk2 · August 9, 2018, 12:46pm

I tried to use upd plugin output but also in this case into message I have this:

Original

"<159>ago 08 11:23:35 100.149.40.214 message.."

Forwarded message

Aug  8 12:21:27 192.168.11.218 {"message": "<159>ago 08 11:23:35 100.149.40.214 message.."

system · September 6, 2018, 12:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.