I'm a student doing studies around Centralized Logging.
I've setup an ELK system, Kibana, Logstash, Elasticsearch, Filebeat, Nginx, Metricbeat and packetbeat.
I've been messing around with many different logs.
Shortly I've been wondering on how to split up different syslog messages, because I've been collecting:
F5 syslog, Filebeat Syslog, Rsyslog, LeafSyslog, and some other syslogs.
Untill short I was using a few different ports for different types of syslog:
this way I could link the syslog type to the right filters, by tagging every incoming port with: F5 or Leaf or Syslog itself etc...
But I want to get all the Syslogs on the same port and be able to split them up and tag the right logs.
I want to find something Unique for every different Syslog message, but is there a real unique difference in every log without tagging them from client ?
Preferable something unique which is the same on (for example) every F5 or every Leaf
Thank you for the reply.
I am filtering, but the filtering comes after the input is collected and im filtering on the port Its coming in. I could add a tag on that port, but that wouldnt make a difference.
I'm looking for a way to make them all unique and let them connect to the same port.
But now I'm specifically using a port for F5 and parsing it throught the F5 filter I made.
I want all ports on the same and be able to check for something that is always going to be different and then parsing them or tagging them. So I don't have to add different incoming ports.
Yes it does, and my comment still applies. It's the only way you are going to be able to easily identify what source it's coming from, because you're matching the format of the event with (eg) the F5 format.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
