How to forward logstash logs to Rapid7?

srbhklkrn · January 7, 2020, 11:34pm

I'm trying to forward logs using Logstash to Rapid7 SIEM tool with particular tags, below is the output plugin but it's not working, what am I doing wrong?

output {
    if [type] == "syslog" {

        elasticsearch { hosts => ["localhost:9200"] }

        if [tags] == "Prod"
        {
            http {
                hosts => ["10.10.1.1:10025"]
            }
        }
    }
}

Badger · January 8, 2020, 12:06am

That's valid, but it is a string comparison. It is more likely you want an array membership test

if "Prod" in [tags]

srbhklkrn · January 8, 2020, 2:50pm

Thank you for the reply I changed my condition to

if "Prod" in [tags]

and I'm trying to write it to the file but its not writing it with if condition, but if I remove it it writes to the specified path.

output {
    if [type] == "syslog" {

        elasticsearch { hosts => ["localhost:9200"] }
         }

        if "Prod" in [tags]
        {
           file{
                 path => "/home/user/logstash-test/test-%{+YYYY-MM-dd}.log"
           }
        }
}

Badger · January 8, 2020, 3:19pm

OK, so add

codec => rubydebug

to the file output and show us what an event looks like when it is written out.

srbhklkrn · January 8, 2020, 3:24pm

it still not writing it in file

Badger · January 8, 2020, 3:58pm

Maybe it does not have [type] set to syslog. Add an else and a second file output.

srbhklkrn · January 8, 2020, 4:15pm

Here is the complete pipeline, I need to send all logs tagged as Prod to rapid7 but for now I just need to send it to file, as you said by putting else indeed write the file but how do I send only Prod logs?

   input {
  tcp {
    port => 10514
    type => syslog
  }

  udp {
    port => 10514
    type => syslog
  }

}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOG5424PRI}%{NONNEGINT:syslog5424_ver} +(?:%{TIMESTAMP_ISO8601:syslog5424_ts}|-) +(?:%{HOSTNAME:syslog5424_host}|-) +(?:%{NOTSPACE:syslog5424_app}|-) +(?:%{NOTSS
PACE:syslog5424_proc}|-) +(?:%{WORD:syslog5424_msgid}|-) +(?:%{SYSLOG5424SD:syslog5424_sd}|-|) +%{GREEDYDATA:syslog5424_msg}" }
    }

    syslog_pri { }

    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }

    if !("_grokparsefailure" in [tags]) {
      mutate {
        replace => [ "@source_host", "%{syslog_hostname}" ]
        replace => [ "@message", "%{syslog_message}" ]
      }
    }

    mutate {
      remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
    }

    if [message] =~ /.prod./ {
        mutate {
                add_tag => ["Prod"]
        }
     }
  }

}

output {
  if [type] == "syslog" {
    elasticsearch {
      hosts => ["10.31.45.85:9450", "10.31.45.86:9450", "10.31.45.87:9450"]
      index => "logstash-%{+yyyy.MM.dd}"
    }

    if "Prod" in [tags] {

      file {
        path => "/home/myuser/logstash-logs/test-%{+YYYY-MM-dd}.log"
        codec => rubydebug
      }
    } else {
      file {
        path => "/home/myuser/logstash-logs/test2-%{+YYYY-MM-dd}.log"
        codec => rubydebug
      }
    }
  }
}

system · February 5, 2020, 4:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.