We utilize a central syslog infrastructure in our environment. I have both Windows log forwarders and network devices pumping log data to Kiwi Syslog. I then filter and forward as needed. All go to SEIM, some are presented in the console views, some or all get forwarded to the various log analysis tools I've demo'd.
Below is the raw data from a syslog message from a network device. The whole original log message comes in as the "message" field from the forwarding server. Any ideas on how to break this out? Is this done through filters?
Code: Select all
{
"_index": "logstash-2014.10.21",
"_type": "syslog",
"_id": "CA7X_HsHQ8yca-OmIL1Cow",
"_score": null,
"_source": {
"message": "<43>Oct 21 14:02:23 10.40.4.245 Kiwi_Syslog_Server Original Address=10.40.4.245 WLC-101A.UNI1: *dot1xMsgTask: Oct 21 19:02:16.510: %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 74:f0:6d:51:f3:01",
"@version": "1",
"@timestamp": "2014-10-21T23:02:19.577Z",
"type": "syslog",
"host": "10.70.5.24",
"tags": [
"_grokparsefailure"
],
"priority": 13,
"severity": 5,
"facility": 1,
"facility_label": "user-level",
"severity_label": "Notice"
},
"sort": [
1413932539577,
1413932539577
]
}