I want to collect syslogs from cisco switch which will use UDP 514 to send syslogs.
I tried setcap command and port forwarding on firewall. But failed. I used following commands,
setcap -
setcap cap_net_bind_service=+epi /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.102-1.b14.el7_2.x86_64/jre/bin/java
setcap cap_net_bind_service=+epi /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.111-2.6.7.2.el7_2.x86_64/jre/bin/java
Firewall commands -
firewall-cmd --permanent --add-forward-port=port=514:proto=tcp:toport=5514
firewall-cmd --permanent --add-forward-port=port=514:proto=udp:toport=5514
what did I do wrong? is their any other way to achieve the same goal. Please help.
My Logstash conf file-
input {
beats {
port => 5000
type => "filebeat"
}
beats {
port => 5001
type => "winlogbeat"
}
syslog {
port => 514
type => "syslog"
}
}
Filebeat filter
filter {
#ignore log comments
if [message] =~ "^#" {
drop {}
}
grok {
#patterns_dir => "./patterns"
match => {"message" => "%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:servername1} %{IPORHOST:serverip} %{WORD:verb} %{NOTSPACE:request1} %{GREEDYDATA:request2} %{NUMBER:port} %{IPORHOST:clientip} %{NOTSPACE:protocol} %{NOTSPACE:querystring} %{IPORHOST:servername} %{NOTSPACE:agent} %{NOTSPACE:referrer} %{NUMBER:response} %{NUMBER:sub_response} %{NUMBER:sc_status} %{NUMBER:responsetime}"}
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss" ]
locale => "en"
}
}
Second filter
#filter {
if "_grokparsefailure" in [tags] {
} else {
# on success remove the message field to save space
mutate {
# remove_field => ["message", "timestamp", "servername", "servername1"]
#}
}
#}
output {
elasticsearch {
hosts => ["172.........:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}