Syslog stream


(Salma Ait Lhaj) #1

Hi,

I want to know, please, how can I configure Logstash to retrieve a syslog stream directly.


(Charaf Ahmed) #2

Hi,

Sorry, if my English is bad, I do not speak English normally.

Here is an example of a configuration file for log collection:
input {

udp {
port => 514 (default)
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}


(Salma Ait Lhaj) #3

Can I write my conf file like this ? ( Je peux écrire mon fichier de configuration comme ça ? parce que le syslog va m'envoyer des logs du parfeu cisco asa )

input {

    udp {
            port => 514
            type => syslog
    }

}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}

    grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{DATA:cisco_tag}: %{GREEDYDATA:cisco_message}"}
    }

    grok {
    match => [
      "cisco_message", "%{CISCOFW106001}",
      "cisco_message", "%{CISCOFW106006_106007_106010}",
      "cisco_message", "%{CISCOFW106014}",
      "cisco_message", "%{CISCOFW106015}",
      "cisco_message", "%{CISCOFW106021}",
      "cisco_message", "%{CISCOFW106023}",
      "cisco_message", "%{CISCOFW106100}",
      "cisco_message", "%{CISCOFW110002}",
      "cisco_message", "%{CISCOFW302010}",
      "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
      "cisco_message", "%{CISCOFW302020_302021}",
      "cisco_message", "%{CISCOFW305011}",
      "cisco_message", "%{CISCOFW313001_313004_313008}",
      "cisco_message", "%{CISCOFW313005}",
      "cisco_message", "%{CISCOFW402117}",
      "cisco_message", "%{CISCOFW402119}",
      "cisco_message", "%{CISCOFW419001}",
      "cisco_message", "%{CISCOFW419002}",
      "cisco_message", "%{CISCOFW500004}",
      "cisco_message", "%{CISCOFW602303_602304}",
      "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",

"cisco_message", "%{CISCOFW713172}",
"cisco_message", "%{CISCOFW733100}",
"cisco_message", "%{WORD:action} %{WORD:protocol} %{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}$
"cisco_message", "%{CISCO_ACTION:action} %{WORD:protocol} %{CISCO_REASON:reason}.(%{IP:src_ip}).%{IP:dst_ip} on interface %{GREEDYDATA:interface}",
"cisco_message", "Connection limit exceeded %{INT:inuse_connections}/%{INT:connection_limit} for input packet from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:$
"cisco_message", "TCP Intercept %{DATA:threat_detection} to %{IP:ext_nat_ip}/%{INT:ext_nat_port}.*(%{IP:int_nat_ip}/%{INT:int_nat_port}).*Average rate of %{INT:syn_av$
"cisco_message", "Embryonic connection limit exceeded %{INT:econns}/%{INT:limit} for %{WORD:direction} packet from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:$
]
}

}

output {
elasticsearch {
hosts => [ "localhost:9200"]
}
stdout { codec => rubydebug }
}


(Jymit Singh Khondhu) #4

@asalma
The endpoint device being an ASA is of no issue, as long as its in syslog you can grok the fields you want to put into Elasticsearch.

Your English is good enough for all to understand your ask.

Please note, if you are more comfortable in French over English we also have this section of our discuss forums: https://discuss.elastic.co/c/in-your-native-tongue


(Salma Ait Lhaj) #5

Can you help me modify my file, what should I change ??


(Salma Ait Lhaj) #6

My problem is that I have firewall logs in syslog and I want to redirect them directly to logstash so they go through the filter and be able to see them in kibana.

How can I write my config file ?


(Charaf Ahmed) #7

Est ce que t'arrive à voir tes logs en fouilant sur les fichier systeme (exemple : /var/log/etc ) ?


(Jymit Singh Khondhu) #8

See the syslog examples here:


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.