well, I looked this syslog, the ip addr may be useful.
a log in kibana like this
{
"_index": "syslog-generic-20220123",
"_type": "_doc",
"_id": "fzAZh34BidnVrFlllwQe",
"_version": 1,
"_score": 1,
"_source": {
"facility": 0,
"@timestamp": "2022-01-23T13:21:48.215Z",
"host": "1.2.3.4",
"facility_label": "kernel",
"type": "syslog-generic",
"priority": 0,
"message": "<134>dnscache: 1642944108 2022-01-23 21:21:48 queries:litedev.ys7.com IN A from client 10.150.0.134#60923,dns_server 1.2.3.4:53 responds to:112.17.34.109,about line:2,set MARK:0x2010403\n",
"severity": 0,
"severity_label": "Emergency",
"tags": [
"_grokparsefailure_sysloginput"
],
"@version": "1"
},
"fields": {
"severity": [
0
],
"tags.keyword": [
"_grokparsefailure_sysloginput"
],
"@version.keyword": [
"1"
],
"severity_label.keyword": [
"Emergency"
],
"type": [
"syslog-generic"
],
"message": [
"<134>dnscache: 1642944108 2022-01-23 21:21:48 queries:litedev.ys7.com IN A from client 10.150.0.134#60923,dns_server 1.2.3.4:53 responds to:112.17.34.109,about line:2,set MARK:0x2010403\n"
],
"priority": [
0
],
"tags": [
"_grokparsefailure_sysloginput"
],
"@timestamp": [
"2022-01-23T13:21:48.215Z"
],
"type.keyword": [
"syslog-generic"
],
"message.keyword": [
"<134>dnscache: 1642944108 2022-01-23 21:21:48 queries:litedev.ys7.com IN A from client 10.150.0.134#60923,dns_server 1.2.3.4:53 responds to:112.17.34.109,about line:2,set MARK:0x2010403\n"
],
"host": [
"1.2.3.4"
],
"@version": [
"1"
],
"host.keyword": [
"1.2.3.4"
],
"facility": [
0
],
"facility_label.keyword": [
"kernel"
],
"severity_label": [
"Emergency"
],
"facility_label": [
"kernel"
]
}
}
in the json log, "1.2.3.4"is the unique source of the device.
So, the probelm becomes, how to ideneitify the ip addr in logstash filter?
I tried this
input{
syslog{
type => "syslog-generic"
host => "ip-addr-of-logstash"
port => 514
}
}
filter {
if ([fields][host] == "1.2.3.4") {
mutate {
replace => {
"[type]" => "syslog-dns-query"
}
}
}
}
output {
if [type] == "syslog-dns-query" {
elasticsearch {
hosts => ["myes-addr"]
user => "elastic"
password => "changeme"
index => "syslog-dns-query-%{+YYYYMMdd}"
}
}
}
But no index named syslog-dns* appears in kibana.
So, anything wrong?
Thank you .