Identifying Unique Log Sources

phinkel · May 19, 2020, 5:03pm

Hello,

We are attempting to start collecting from our first ESXi host and getting the logs to logstash is any easy process however, our goal is to take multiple log source types (asa, cisco switch, esxi, etc.) all on the common syslog UDP or TCP 514 port. We would like to have the ability to tag each of these as unique sources. With esxi we cannot find a unique string or pattern to identify it as ESXi specific. The logs from esxi seem to be generic syslog events with nothing to distinguish them as esxi.

A solution to this could be using different ports and identifying them this way. However, is there any documentation or way of recognizing an esxi source through the raw syslog?

Thank you

warkolm · May 20, 2020, 10:53pm

Welcome!

Not that I have seen, I think most solutions involved a specific input port, and then tagging that input.

ptamba · May 21, 2020, 5:38am

at best you can split them by host, as it is an identifier in proper syslog. you could probably maintain a dictionary of servers and type for example

“host-a”: esxi

then using a translate filter , you can dynamically add type to the incoming log message. all you need to do is update your dictionary if you have new log source

phinkel · May 21, 2020, 3:26pm

Thank you!

system · June 18, 2020, 3:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Distinguish between syslog inputs Logstash	5	2588	May 25, 2017
How to uniquely identify data from different sources Logstash	13	4473	July 19, 2017
Multiple Syslog Inputs on one port Logstash	5	2252	May 14, 2018
Different ssyslog source Logstash	3	612	July 6, 2017
How to distinguish between two input data sources? Logstash	3	580	April 23, 2018

Identifying Unique Log Sources

Related topics