Identifying Unique Log Sources

Hello,

We are attempting to start collecting from our first ESXi host and getting the logs to logstash is any easy process however, our goal is to take multiple log source types (asa, cisco switch, esxi, etc.) all on the common syslog UDP or TCP 514 port. We would like to have the ability to tag each of these as unique sources. With esxi we cannot find a unique string or pattern to identify it as ESXi specific. The logs from esxi seem to be generic syslog events with nothing to distinguish them as esxi.

A solution to this could be using different ports and identifying them this way. However, is there any documentation or way of recognizing an esxi source through the raw syslog?

Thank you

Welcome! :smiley:

Not that I have seen, I think most solutions involved a specific input port, and then tagging that input.

at best you can split them by host, as it is an identifier in proper syslog. you could probably maintain a dictionary of servers and type for example

“host-a”: esxi

then using a translate filter , you can dynamically add type to the incoming log message. all you need to do is update your dictionary if you have new log source

2 Likes

Thank you!