How to create logstash for different network device over same udp port

sajiby3k · February 1, 2021, 5:54pm

Hi,

I am very new to elk stack.

Trying to use logstash for Cisco routers and Fortigate firewalls.

Both of these device types will use default udp port 514 to logstash to send log files.

Most basic configuration looks like below for input.

input{
udp{
port => 514
type => "log4net"
}
}

But with this setup I cannot differenciate which is a fortigate and which is a cisco log.

I try to avoid configure a unique udp port for each type of device from different vendors.

The goal is not gork data for additional fields according to their log contents.

Any help. Or I am missing something obivios.

Regards.

warkolm · February 1, 2021, 11:04pm

Welcome to our community!

Using different ports is the best option. If not, you might be able to tag them based on specific information each log format contains?

sajiby3k · February 2, 2021, 7:32am

Can you explain what the host in input udp does?

What is the - Host value - my logstsash IP adress or the device sending the syslog data (Cisco/Fortigate)?

warkolm · February 2, 2021, 8:29am

The docs state;

The address which logstash will listen on

Topic		Replies	Views
Network devices logs monitoring Logstash	1	1491	January 27, 2020
Logstash profile Logstash	2	264	November 30, 2022
Configuration with multiple types Logstash	2	815	March 14, 2018
Separate device in logstash based on the destination port Logstash	1	235	July 25, 2022
Didnt get the output of cisco router syslog in logstash server Logstash	6	1586	July 6, 2017