Logstash preserve source ip

omoroka · April 23, 2025, 8:24pm

Hi,
I have a logstash server running on linux and this server is collecting logs from various devices like storages, switches, firewalls etc.
All device send logs to the logstash servers 514 port, most of them is fine but there are storage devices and firewalls from various manufacturers, that has limited log sending options: only the host. The port is 514/udp (or tcp) is hardcoded, no other options.

I have to sort these devices by the original IP addresses, but the messages doesn't contain the IP addresses, only the message and timestamp.

I would like to add the devices' IP address to the log (for example add a field with grok to a json log), but I couldn't find any variable that contains that information. Tried with "codec => rubydebug" but no luck (message and timestamp appeared in the messages, but no IP)
Tried the [host][ip] in line codec's custom format in a million combination (i.e. %{host}, %{[host]}, etc.) but all show in log as a string, but definitly not IP address.

Is there any other way to add the source IP to the log message?

Thank you for your help!

Badger · April 23, 2025, 10:31pm

What input are you using to receive the data?

Rios · April 23, 2025, 11:24pm

As Badge mentioned, if you are using syslog plugin, there should be the logsource field together with priority, severity, host.

You can manually add source.ip base on some criteria:

if [somefield]=="value" 
{
 mutate { add_field => { "[source][ip]" => "192.168.1.11" }  
}

If you want [source][ip] as IP field/data type in ES, then you have to create/change index template with [source][ip] as IP field type. GEO structure is optional.

omoroka · April 24, 2025, 5:48am

Hello,

I'm using the "syslog" input type.

There is no such field "logsource", this is a message:

{
          "type" => "syslog",
      "@version" => "1",
       "message" => "113 <86>1 2025-04-23T22:17:01+02:00 nginx-server CRON 49801 - - pam_unix(cron:session): session closed for user roo
t",
    "@timestamp" => 2025-04-23T20:17:02.185654015Z,
         "event" => {
        "original" => "113 <86>1 2025-04-23T22:17:01+02:00 nginx-server CRON 49801 - - pam_unix(cron:session): session closed for user r
oot"
    }
}

Currently a simple pipeline that records the message:

input
{
  tcp
  {
    port => 5514
    mode => "server"
    type => syslog
  }
}


output
{
  file
  {
    path => "/log/debug.log"
    codec => rubydebug
  }
}

Also, the IP address of the devices is unknown to me, added or removed by dedicated teams (network, hw/storage, etc.). CMDB is the only place where the devices list is maintanined, but it has no API to query.
Change the configuration every time when a device is added/modified/removed would be a bit difficult.

Rios · April 24, 2025, 7:47am

Can you replace the input with this and show results?

input {
  syslog {
    port => 5514
    type => "syslog"
  }
}

omoroka · April 24, 2025, 10:03am

Thank you, replacing "tcp" with "syslog" worked in "input" section.
Now the IP address is available as the "ip" field!

Badger · April 24, 2025, 12:17pm

If for some reason (e.g. needing TLS support) you had to continue with the tcp input then you can get the source ip address from a field under [@metadata]. It is documented here (and the location varies depending on your ECS comatability level).

Topic		Replies	Views
Logstash parsing syslog Logstash	8	3564	July 6, 2017
Logstash Syslog Input - Capture the Connecting Host's IP Address Logstash	5	944	June 14, 2023
Logstash - Syslog input and output Logstash	1	407	February 27, 2018
Mantain source IP TCP Output Logstash	7	1568	May 15, 2022
Syslog source ip Logstash	4	3724	October 1, 2020

Logstash preserve source ip

Related topics