I need to receive syslog from different systems.
All syslogs are using UDP 514 port and cannot be changed in the source
Now I need to separate different syslogs in logstash.
logstash system reserved port below 1024.
So now I got two solutions
Solution A
- In logstash use port forwarding. To forward the syslog to port 5514 and presrve source IP address
- filter the source [host] [ip] and adding tags to the syslog
**Solution B **
- In logstash use port forwarding rule. To forward syslogs to different ports. e.g. 5514, 6514
- Separate logs by using port number.
Just wonder which solution is better. Any best practice.