Syslog stream

Hi,

I want to know, please, how can I configure Logstash to retrieve a syslog stream directly.

Hi,

Sorry, if my English is bad, I do not speak English normally.

Here is an example of a configuration file for log collection:
input {

udp {
port => 514 (default)
type => syslog
}
}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

Can I write my conf file like this ? ( Je peux écrire mon fichier de configuration comme ça ? parce que le syslog va m'envoyer des logs du parfeu cisco asa )

input {

    udp {
            port => 514
            type => syslog
    }

}

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}

    grok { match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{HOSTNAME:hostname} %{DATA:cisco_tag}: %{GREEDYDATA:cisco_message}"}
    }

    grok {
    match => [
      "cisco_message", "%{CISCOFW106001}",
      "cisco_message", "%{CISCOFW106006_106007_106010}",
      "cisco_message", "%{CISCOFW106014}",
      "cisco_message", "%{CISCOFW106015}",
      "cisco_message", "%{CISCOFW106021}",
      "cisco_message", "%{CISCOFW106023}",
      "cisco_message", "%{CISCOFW106100}",
      "cisco_message", "%{CISCOFW110002}",
      "cisco_message", "%{CISCOFW302010}",
      "cisco_message", "%{CISCOFW302013_302014_302015_302016}",
      "cisco_message", "%{CISCOFW302020_302021}",
      "cisco_message", "%{CISCOFW305011}",
      "cisco_message", "%{CISCOFW313001_313004_313008}",
      "cisco_message", "%{CISCOFW313005}",
      "cisco_message", "%{CISCOFW402117}",
      "cisco_message", "%{CISCOFW402119}",
      "cisco_message", "%{CISCOFW419001}",
      "cisco_message", "%{CISCOFW419002}",
      "cisco_message", "%{CISCOFW500004}",
      "cisco_message", "%{CISCOFW602303_602304}",
      "cisco_message", "%{CISCOFW710001_710002_710003_710005_710006}",

"cisco_message", "%{CISCOFW713172}",
"cisco_message", "%{CISCOFW733100}",
"cisco_message", "%{WORD:action} %{WORD:protocol} %{CISCO_REASON:reason} from %{DATA:src_interface}:%{IP:src_ip}/%{INT:src_port} to %{DATA:dst_interface}:%{IP:dst_ip}$
"cisco_message", "%{CISCO_ACTION:action} %{WORD:protocol} %{CISCO_REASON:reason}.(%{IP:src_ip}).%{IP:dst_ip} on interface %{GREEDYDATA:interface}",
"cisco_message", "Connection limit exceeded %{INT:inuse_connections}/%{INT:connection_limit} for input packet from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:$
"cisco_message", "TCP Intercept %{DATA:threat_detection} to %{IP:ext_nat_ip}/%{INT:ext_nat_port}.*(%{IP:int_nat_ip}/%{INT:int_nat_port}).*Average rate of %{INT:syn_av$
"cisco_message", "Embryonic connection limit exceeded %{INT:econns}/%{INT:limit} for %{WORD:direction} packet from %{IP:src_ip}/%{INT:src_port} to %{IP:dst_ip}/%{INT:$
]
}

}

output {
elasticsearch {
hosts => [ "localhost:9200"]
}
stdout { codec => rubydebug }
}

@asalma
The endpoint device being an ASA is of no issue, as long as its in syslog you can grok the fields you want to put into Elasticsearch.

Your English is good enough for all to understand your ask.

Please note, if you are more comfortable in French over English we also have this section of our discuss forums: https://discuss.elastic.co/c/in-your-native-tongue

Can you help me modify my file, what should I change ??

My problem is that I have firewall logs in syslog and I want to redirect them directly to logstash so they go through the filter and be able to see them in kibana.

How can I write my config file ?

Est ce que t'arrive à voir tes logs en fouilant sur les fichier systeme (exemple : /var/log/etc ) ?

See the syslog examples here:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.