If I want to view in Kibana the Netflow and Syslog data from a Cisco router, I need to know which of the following choices are correct:
I have to send the Netflow and Syslog data from the Cisco router to a Syslog-NG intermediate server with Filebeat and after that send them to the Elasticsearch component from my ELK server.
I have to send the Netflow and Syslog data from the Cisco router to the Logstash component from my ELK server, so Logstash adjust the input and send them to the Elasticsearch local component. In this choice I don't need to implement a Syslog-NG intermediate server.
When you say sending data to Filebeat, you say the Filebeat installed in the ELK server or a Filebeat installed in an intermediate Syslog-NG server ???
If you want to listen on a syslog port inside of your current syslog server IT doesn't really matter. If you want to read from file that syslog server dumps for you then you need to install It on the syslog server. Just configure properly the output.elasticsearch section. Below I send you my config.
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["host.pl:9200"]
username: "login"
password: "passs"
ssl.certificate_authorities: ["./ca.crt"]
ssl.certificate: "./filebeat.crt"
ssl.key: "./filebeat.key"
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
indices:
- index: "filebeat-netflow-%{+yyyy.MM.dd}-000001"
when.equals:
event.module: "netflow"
- index: "filebeat-cisco-%{+yyyy.MM.dd}-000001"
when.equals:
event.module: "cisco"
- index: "filebeat-system-%{+yyyy.MM.dd}-000001"
when.equals:
event.module: "system"
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.