Hello,
I have install ELK stack 8.6 with elasticsearch, Logstash, Kibana, Filebeat and Metricbeats; Well !
I tested my server with a Logstash file "syslog.conf" with a beats input, who listen on 5044 port. It works, I see my logs correctly.
But, now I want analyse syslog on 514 port, for monitoring my swiths HP 5140, and I don't know how I can do it .
Can you help me for fix my problem.
Thanks.
You need .conf similar to this:
input {
syslog {
port => 514
}
}
filter {
# later will add grok like SYSLOGLINE or similar parser
}
output {
file { path => "/path/hpsyslog_%{+YYYY-MM-dd}.txt" }
stdout { codec => rubydebug{ } }
}
The message should be like this:
<189>Oct 9 14:59:04 2022 Sysname %%10SHELL/5/SHELL_LOGIN(l): VTY logged in from 192.168.1.1
Check the received messages and the documentation to get fields description. The grok conf should be like this.
Hi,
Thanks for your help, actually it work, I saw my syslog in Kibana.
But, when I want see "who send me syslog ?" I see the ip of my interface and not ip of my switch. It's a problem because I want monitor a lot of switchs and I want know who has a problem; In clear, know what they do on my network.
My .conf file it's :
input {
syslog {
port => 514
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "switch_logs-%{+YYYY.MM.dd}"
stdout { codec => rubydebug{ } }
}
}
And I have create a vlan in my interface for receive Syslog from my switchs :
vlans.30@enp1s0:
group default qlen 1000
inet 10.128.2.244/22 brd 10.128.3.255 scope global vlans.30
What I see on Kibana :
It's the same Ip of my interface.
And I don't know how I can fix my problem.
Thanks again for your help.
Good. 
syslog_hostname - is what syslog message contains, I would leave as it is.
logsource or log.syslog or similar - should be also there as an independent field, this is IP/hostname of device which is sending data. I think you should configure device to use only single IP for forwarding. Check full JSON document which are additional fields, it's visible in Kibana.
host - which receive data. The address to listen on.
syslog_timestamp - is actually a real @timestamp from your log source, you should use date for formatting. Currently you are using @timestamp as Logstash getdate().
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ] # put correct format
}
Also, you can even put grok pattern inside input
I didn't understand everything, I should delete the timestamp in my gok filter an add 'date' ?
For example, my switch's syslogs seems to :
%Feb 27 16:48:01:854 2013 HP5140-Bat-3-3 IFNET/3/PHY_UPDOWN: Physical state on the interface GigabitEthernet1/0/2 changed to up.
%Feb 27 16:48:01:855 2013 HP5140-Bat-3-3 IFNET/5/LINK_UPDOWN: Line protocol state on the interface GigabitEthernet1/0/2 changed to up.
%Feb 27 16:48:17:807 2013 HP5140-Bat-3-3 LLDP/6/LLDP_CREATE_NEIGHBOR: Nearest bridge agent neighbor created on port GigabitEthernet1/0/2 (IfIndex 2), neighbor's chassis ID is 482a-e37c-a954, port ID is 482a-e37c-a954.
%Feb 27 16:49:54:378 2013 HP5140-Bat-3-3 STP/6/STP_NOTIFIED_TC: Instance 0's port Bridge-Aggregation2 was notified a topology change.
%Feb 27 16:49:56:798 2013 HP5140-Bat-3-3 STP/6/STP_NOTIFIED_TC: Instance 0's port Bridge-Aggregation2 was notified a topology change.
%Feb 27 16:53:18:071 2013 HP5140-Bat-3-3 LLDP/6/LLDP_DELETE_NEIGHBOR: Nearest bridge agent neighbor deleted on port GigabitEthernet1/0/24 (IfIndex 24), neighbor's chassis ID is b07b-2534-668f, port ID is b07b-2534-668f.
I'm very New in server administration, am little bit lost
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.