Logstah filter for cisco device

Elastic Stack Logstash
1

Hello
we have syslog-ng server that collects logs from cisco switches, routers etc. and syslog-ng writes that logs to its filesistem. here is an example of lines from cisco
Aug 10 14:56:30 ip..ip.ip.ip hostname: Aug 10 14:56:30.072 TSI: %SPANTREE-7-PORTDEL_SUCCESS: GigabitEthernet1/0/2 deleted from Vlan 851
Aug 10 14:56:30 ip.ip.ip.ip hostname: Aug 10 14:56:29.235 TSI: %EPM-6-IPEVENT: IP 0.0.0.0| MAC 001a.e80d.8a2d| AuditSessionID 0A6DC015000085F6E8E98B24| EVENT IP-RELEASE

when i sent this log from syslog-ng to logstash with below filter it seems like this

input {
tcp {
host => "10.104.185.158"
port => 5515
type => "networklogs_cisco"
}
}
filter{
if [type] == "networklogs_ciso" {
grok {
break_on_match => true
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{INT:port} %{INT:version} %{SYSLOGHOST:syslog_hostname} %{SYSLOGTIMESTAMP:origin_timestamp} %{SYSLOGHOST:syslog_ip} %{SYSLOGHOST:origin_hostname}: %{CISCOTIMESTAMP:cisco_timestamp} TSI: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{origin_hostname}" ]
remove_field => [ "syslog_timestamp", "port", "version", "syslog_hostname" ]

 }

 date {
   match => [ "origin_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
 }

}
output {
if [type] == "networklogs_cisco" {
file {
path => "/var/log/logstash/networklogs_cisco"
}

				  }

}

[root@hostname~]# tail -f /var/log/logstash/networklogs_cisco
{"@timestamp":"2017-08-10T11:59:26.431Z","port":42085,"@version":"1","host":"syslogng's ip","message":"<190>Aug 10 14:59:26 10.109.0.14 hq-809s: Aug 10 14:59:26.019 TSI: %EPM-6-IPEVENT: IP ip.ip.ip.ip| MAC 001a.e826.9039| AuditSessionID 0A6D000E00005B0CDCD7D2F8| EVENT IP-ASSIGN","type":"networklogs_cisco"}

what i expect is, I dont want to see timestamp, port, version, syslogng ip. Becouse when i sent this log to elastic I could not see the right fields on kibana
I only want to see the fields on kibana is
%{SYSLOGTIMESTAMP:origin_timestamp} %{SYSLOGHOST:syslog_ip} %{SYSLOGHOST:origin_hostname}: %{CISCOTIMESTAMP:cisco_timestamp} TSI: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}" }
best regards
Murat

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.