Logstash conditional output

Elastic Stack Logstash
#1

Hello,

Looking to use logstash to host multiple syslog listeners to start to aggregate logs from different vendors and then forward on for now to another syslog server.

The question is whether we can set the syslog output dependant on the source address for example:

TCP 514 collects all firewalls and routers

As we know the source addresses of these I would like to be able to get logstash to look up the source address and then route them accordingly e.g.

TCP 514 > Logstash > (Firewall) > SYSLOG out to xxxx:5000
TCP 514 > Logstash > (Router) > SYSLOG out to xxxx:5001

#2

What's your current logstash config ?

You can setup if conditions on output's setting depending on which file you pick up or which fields contains Firewall or Router related informations.

#3

So - I have basic listeners setup and just configuring the outputs - building as I go.

I wasn't sure if you could do e.g.

if {host} is listed in routers.txt then output = x elseif {host} is listed in firewalls.txt then output = Y

#4

there has to be a better way to do this than using text files.

You can configure logstash to listen on port 514 for firewalls and tag it to "Firewall" and 517 for "Router".

Then output as

if "Router" in [Tags] output XXX
if "Firewall" in [Tags] output YYY

#5

I'm not fully aware of the infrastructure your working on and the requirements you have thus it's hard to propose a solution that would be useful for your case.

Please dont be affraid to explain the need of each step and the results you want to accomplish with each elements.

#6

Hiya.

Thanks for coming back.

Ideally we will set the correct destination port at the source however at the moment all these devices are sending to one IP on port 514 - on this IP I want to put logstash and break it out to the device types for sending on if that makes sense?

Thanks
Peter.

#7

How to create multiple indexs with multiple input in logstash - #4 by Badger is a great example of how to do this.

#8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.