Receive syslog logs and forward copy to another server

juancamiloll · December 4, 2024, 7:33pm

Hello,

I need to receive them via syslog through logstash, process them and send them to the elasticsearch cluster, but I also need the original logs to go a copy to another server to another SIEM that I have.

I would like to know if it works like this or if I have any error or if you can give me some suggestions.

input {
    tcp {
       port => 51403
       id => "51403_input_fortinet"
       type => "fortigate"
    }
}

filter {
    if [type] == "fortigate" {

        grok {
            match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:hostname} %{DATA:program}: %{GREEDYDATA:fortinet_message}" }
        }

        kv {
            source => "fortinet_message"
            field_split => " "
            value_split => "="
        }

        date {
            match => [ "timestamp", "MMM dd HH:mm:ss" ]
            target => "@timestamp"
        }

        mutate {
            remove_field => ["fortinet_message", "message"]
        }
    }
}

output {
    if [type] == "fortigate" {
        elasticsearch {
            id => "51403_output_fortinet"
            hosts => ["https://goku:9200","https://vegeta:9200","https://gohan:9200"]
            data_stream => true
            data_stream_type => "logs"
            data_stream_dataset => "fortinet"
            data_stream_namespace => "produccion"
            user => "camehameha"
            password => "tararararahey_tararara_hey"
            ssl_enabled  => true
            ssl_certificate_authorities => "/etc/logstash/certs/ca.crt"
        }
    }

###### forward to another server 
udp {
    host => "172.26.6.6"
    port => 514
  }

}

Badger · December 5, 2024, 12:20am

That udp output will send the event that you have modified in the filter section. If you want to send the original event then add

codec => plain { format => "%{[event][original]}" }

juancamiloll · December 5, 2024, 12:54pm

I also have this error message, as far as I can understand, the “syslog” plugin is not installed.

When I go to the documentation it confirms that it is indeed not installed by default. and I have to install it with bin/logstash-plugin install logstash-output-syslog

[2024-12-04T16:15:21,572][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"Java::JavaLang::IllegalStateException", :message=>"Unable to configure plugins: (PluginLoadingError) Couldn't find any output plugin named 'syslog'. Are you sure this is correct? Trying to load the syslog output plugin resulted in this error: Unable to load the requested plugin named syslog of type output. The plugin is not installed.", :backtrace=>["org.logstash.config.ir.CompiledPipeline.<init>(CompiledPipeline.java:120)", "org.logstash.execution.AbstractPipelineExt.initialize(AbstractPipelineExt.java:186)", "org.logstash.execution.AbstractPipelineExt$INVOKER$i$initialize.call(AbstractPipelineExt$INVOKER$i$initialize.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:847)", "org.jruby.ir.runtime.IRRuntimeHelpers.instanceSuper(IRRuntimeHelpers.java:1379)", "org.jruby.ir.instructions.InstanceSuperInstr.interpret(InstanceSuperInstr.java:139)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:128)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:115)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)", "org.jruby.RubyClass.newInstance(RubyClass.java:949)", "org.jruby.RubyClass$INVOKER$i$newInstance.call(RubyClass$INVOKER$i$newInstance.gen)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:446)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:92)", "org.jruby.ir.instructions.CallBase.interpret(CallBase.java:548)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:363)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.InterpreterEngine.interpret(InterpreterEngine.java:88)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.INTERPRET_METHOD(MixedModeIRMethod.java:238)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:225)", "org.jruby.internal.runtime.methods.DynamicMethod.call(DynamicMethod.java:228)", "org.jruby.runtime.callsite.CachingCallSite.cacheAndCall(CachingCallSite.java:476)", "org.jruby.runtime.callsite.CachingCallSite.call(CachingCallSite.java:293)", "org.jruby.ir.interpreter.InterpreterEngine.processCall(InterpreterEngine.java:324)", "org.jruby.ir.interpreter.StartupInterpreterEngine.interpret(StartupInterpreterEngine.java:66)", "org.jruby.ir.interpreter.Interpreter.INTERPRET_BLOCK(Interpreter.java:118)", "org.jruby.runtime.MixedModeIRBlockBody.commonYieldPath(MixedModeIRBlockBody.java:136)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:66)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.Block.call(Block.java:144)", "org.jruby.RubyProc.call(RubyProc.java:354)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:111)", "java.base/java.lang.Thread.run(Thread.java:1583)"], :cause=>{:exception=>Java::OrgJrubyExceptions::Exception, :message=>"(PluginLoadingError) Couldn't find any output plugin named 'syslog'. Are you sure this is correct? Trying to load the syslog output plugin resulted in this error: Unable to load the requested plugin named syslog of type output. The plugin is not installed.", :backtrace=>["RUBY.lookup_pipeline_plugin(/usr/share/logstash/logstash-core/lib/logstash/plugins/registry.rb:245)", "RUBY.lookup(/usr/share/logstash/logstash-core/lib/logstash/plugin.rb:165)", "org.logstash.plugins.factory.PluginFactoryExt.plugin(org/logstash/plugins/factory/PluginFactoryExt.java:229)", "org.logstash.execution.AbstractPipelineExt.initialize(org/logstash/execution/AbstractPipelineExt.java:186)", "RUBY.initialize(/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:48)", "org.jruby.RubyClass.new(org/jruby/RubyClass.java:949)", "RUBY.execute(/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:49)", "RUBY.converge_state(/usr/share/logstash/logstash-core/lib/logstash/agent.rb:386)"]}}

Topic		Replies	Views
Parse firewall logs collected by logstash through syslog Logstash	12	9715	July 13, 2018
Syslog forwarding question -> Logstash (very basic) Logstash	8	15486	May 9, 2018
Forward logstash logs to another SIEM Logstash elastic-stack-alerting	2	31	November 22, 2024
Syslogs from fortigate Elasticsearch	16	4430	August 23, 2018
Logstash - Syslog Help - I am a total pleb Logstash	6	1334	January 2, 2018

Receive syslog logs and forward copy to another server

Related topics