Show udp source port

Alex_Der · May 31, 2021, 5:03pm

I'm using Logstash to ingest the logs sent (via udp) by 5 different applications running on another machine.
Each aplication sends its log to Logstash from a different port (e.g. application_1 from port 1760, application_2 from port 1761 etc). Their source code can not be modified.
I would like to filter the logs via the source.port, but I don't understand how to make it visible in Logstash and ultimately in Kibana.
Is there a way to find out the source port of the received log?

My Logstash conf file looks like this

input {
  udp {
    port => 10514
    type => udp
  }
}

filter {
 grok {
    match => { "message" => "%{GREEDYDATA:log_message}\s"}
  }
}

output {
  elasticsearch { hosts => ["server_ip:9200"]
    user => "elastic"
    password => "pass"
    index => "log-%{+YYYY.MM.dd}"
    }
  stdout { codec => rubydebug }
}

Badger · May 31, 2021, 5:49pm

Not using the udp input that ships with logstash. The code pulls the IP address out of the inet_addr structure and adds that to the event, but does not do the same for the source port. You could trivially modify the input to do so and build it yourself.

system · June 28, 2021, 5:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.