Syslog from network devices to Filebeat

sera · July 13, 2020, 8:59am

Hi - I can't seem to get Filebeat to collect syslog from ONLY my network devices. It seems to collect everything from /var/log/messages (Filebeat installed on Centos 7) and from my network devices.

Here are the input/output parts of my filebeat.yml:

filebeat.inputs:
 
 - type: syslog
   protocol.udp:
     host: "0.0.0.0:10514"
 
 output.logstash:
   hosts: ["localhost:5044"]

The end result is that in Elasticsearch I am seeing all logs from /var/log/messages and from the network devices, instead of only from the network devices.

module.d/system.yml looks like this:

 - module: system
   syslog:
     enabled: true

Thanks,
Sera

ChrsMark · July 13, 2020, 11:58am

Hi!

Since you want to collect only network inputs you need to disable system module.
Most probably it is module.d/system.yml that is responsible for collecting the log messages from /var/log/.

C.

sera · July 13, 2020, 12:02pm

But if I disable the system module won't that disable the syslog ingest pipeline? I want these logs to appear in the "Dashboards [Filebeat System] ECS". Is that the best ES dashboard to use for this?

Thanks!

ChrsMark · July 14, 2020, 7:43am

Hi again!

I think I'm little bit confused. Do you need to collect logs from /var/log/messages too or you just want to collect from network using:

 - type: syslog
   protocol.udp:
     host: "0.0.0.0:10514"

?

C.

sera · July 14, 2020, 7:56am

My apologies - I did not understand - I assumed that the pre-built syslog dashboard could be applied to network syslog. I see now that this dashboard is only for linux/unix syslog.

Sera

system · August 11, 2020, 9:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.