Logstash - Multiple Log Sources 'Syslog'

Hi!

I'm in the process of planning an ELK setup to have a central log collection and monitoring system. I've got a few Linux clusters, firewalls and Microsoft Windows servers I would like to collect logs from.

  • Firewall can forward syslog messages UDP/TCP
  • Linux can do the same
  • Windows would use Snare agent to forward syslog messages too

On the logstash side I would use a tcp/udp input to receive and handle the messages. Only question I have now:
Would I have to receive each event source type of message on a different port (for example)? As the format of the firewall, the linux system and the microsoft machines will be completely different, and parsing will therefore be completely different!

Or does logstash offer a way define different parsings in one configuration, and logstash tries to match each defined, until one matches or none are left? (I don't know if that were efficient though,...)...

Or what is the "usual" approach? That's easy with log files,...but most of what I want to collect will be using a tcp stream,..

Regards

Would I have to receive each event source type of message on a different port (for example)? As the format of the firewall, the linux system and the microsoft machines will be completely different, and parsing will therefore be completely different!

Yes, using different ports is probably the easiest way of solving this.

Or does logstash offer a way define different parsings in one configuration, and logstash tries to match each defined, until one matches or none are left? (I don't know if that were efficient though,...)...

Logstash's grok filter tries all expressions until it gets a match. You could also have conditionals that try a few different regexps to determine the kind of log and set the type field accordingly. But as you say, this might require extra logic and will not perform as well as simply using different ports.

1 Like

Perfect, I will go that way then,...