Output NetFlow and Syslog to Elasticsearch

Ben19 · September 10, 2015, 3:42pm

Hello, I have an ELK server currently taking NetFlow traffic
from a single host and sending this to a custom index name (logstash_netflow-*)
etc and I’m now wanting to take syslogs on UDP port 5000. Currently NetFlow is
coming in on UDP port 9995 which works well.

What I’m wanting to do is be able to set an IF statement in
the output config so it will only take them from NetFlow and syslog only.

Is it possible to set the IF statement on maybe the netflow [codec]
directive and the syslog [type]? This is how I’m wanting to differentiate
inbound traffic.

Thanks

Ben19 · September 10, 2015, 4:09pm

I’ll add some more details, this server is taking syslogs
and NetFlow on alternate ports just fine. What I’m wanting to do is differentiate
between NetFlow and syslog in the output config by using a different IF
statement rather than (if ( [host] =~ /192.168.1.254/ ) {) in the below
.conf file, because I’d rather not have to specify the host each time I want to
add a new NetFlow device:

output {

stdout {
codec => rubydebug }

    if ( [host] =~ /192\.168\.1\.254/ ) {

      elasticsearch {

        index =>
"logstash_netflow5-%{+YYYY.MM.dd}"

        host => "localhost"

      }

    } else {

      elasticsearch {

        index =>
"logstash-%{+YYYY.MM.dd}"

        host => "localhost"

      }

    }

  }

magnusbaeck · September 10, 2015, 7:32pm

Is it possible to set the IF statement on maybe the netflow [codec] directive and the syslog [type]? This is how I’m wanting to differentiate inbound traffic.

Sure. You can place conditions on any field or combination of fields.

if [type] == "netflow" {
  ...
}

Ben19 · September 11, 2015, 10:24am

Thanks, this worked and I just needed to add in the “type
=> netflow” directive into my input .conf too.

Thanks again.