Syslogging Struggle - newbie alert

Orpheus · November 22, 2021, 5:51pm

Hi, I'm just getting familiar with Elastic Stack, and implementing ELK with Filebeat to a syslog server that receives the syslogs from various routers on a network.

The routers are running RouterOS on mikrotik routers, which I believe is set-up properly to send the data.

Then Filebeat is configured to receive on the same port via the syslog config settings. This appears to be functioning, as netstat shows the ports to be listening/available.

The next step I am a bit lost for is what I need to do so the rest of the stack communicates and parses/visualizes the data.

Logstash is set up simply to listen to Filebeat and output to Elasticsearch/kibana

I cannot find any Elasticsearch modules that deal with general syslogs other than for the host server logs (System module), and all other modules appear to deal with proprietary equipment.

Do I need to create ingest pipelines specifically to read the data from Mikrotik/RouterOS? Even though they supposedly ship data in BSD format? If so, which program should I do this in? Filebeat? Logstash? or Elasticsearch/kibana?

And afterwards, I assume I will have to create a custom dashboard, but I think I can figure that out as long as I can find where the data is from the routers.

What am I missing in order to begin seeing stats from these routers? Thank you in advance!

warkolm · November 22, 2021, 10:50pm

Welcome to our community!

It sounds like you want to use Logstash to process the logs using grok, to structure them, and then push them to Elasticsearch. Or use an ingest pipeline in Elasticsearch to do it. As there is no Filebeat module to do this for you as you mention.
(There is existing Logstash grok patterns for mikrotik, but they aren't in Elasticsearch for some reason!)

And yes, you will need a custom dashboard due to the lack of a module.

Orpheus · November 23, 2021, 2:01pm

Cool, thank you for the reply! I head in this direction, much appreciated!

Micah_Barsness · November 23, 2021, 2:03pm

Do you have a .conf file started for Logstash?

Orpheus · November 23, 2021, 2:07pm

I have a beats input .conf and an Elasticsearch output .conf

I already have the server data "system module" feeding into Elasticsearch, as well as the netflow module via one of the mikrotik routers.

This syslog from the routers is the last piece of this puzzle. Will I need a third .conf? or would I manipulate the one that is coming from filebeat?

system · December 21, 2021, 2:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.