Forward logstash logs to another SIEM

Bantou0 · November 22, 2024, 2:05pm

Hi everyone,

I am facing issues with our new servers which can only have one syslog server configured. We are using two SIEM to send logs (logstash and FSIEM). So I would like to configure the logstash virtual IP as the only one syslog server and forward logs from logstash configuration to other SIEM.
Is there a way to do that ? if someone can help please !

Here my logstash configuration. /var/lib/logstash/pipeline/logstash.conf

input {
    udp {
        port => 5514
        type => syslog
    }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"       }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
     date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
     }
   }
}

output {
  elasticsearch {
    hosts => "<ip_address>:9200"
    user => "<user>"
    password => "<password>"
    index => "<prefix>-%{host}_logstash_%{+YYYY.MM}"
  }
}

Thanks in advance for your help

Regards,
Cheikh

strawgate · November 22, 2024, 2:32pm

You can define two outputs in a logstash pipeline so you'll just add another output block.

This has a number of downsides you'll want to consider, for example, the pipeline may stop processing syslog messages if an output becomes unavailable.

Bantou0 · November 22, 2024, 2:52pm

Hello William,

Thanks a lot for your quick feedback.
I already install the syslog plugin

# podman exex -it logstash /bin/bash
logstash$ bin/logstash-plugin install logstash-output-syslog

I am now trying this following

input {
    udp {
        port => 5514
        type => syslog
    }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"       }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
     date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
     }
   }
}

output {
  elasticsearch {
    hosts => "<elastic_server_address>:9200"
    user => "<user>"
    password => "<password>"
    index => "<prefix>-%{host}_logstash_%{+YYYY.MM}"
  }
  syslog {
    appname => "FortiSIEM"
    protocol => "udp"
    port => "514"
    host => "<fsiem_server_address>"
    rfc => "rfc3164"
  }
}

I will give you feedback if it is working fine or not.

Thanks again !
Cheers

Topic		Replies	Views
Forward log to siem Logstash	4	954	September 6, 2018
Forwarding logs from Logstash to another external location i.e SIEM Logstash	7	6727	July 6, 2017
Forward syslogs to another siem Logstash	7	2462	April 18, 2019
Multiple different outputs Logstash	3	325	September 25, 2019
Rsyslog to logstash help Logstash	4	1365	December 17, 2017

Forward logstash logs to another SIEM

Related topics