Log forwarding to other NLS or SIEM

[MKL]

Hello,
in our testing scenario we are trying to forward logs from one NLS1 to second NLS2. This test should verify whether we will be able to send logs to corporate LogRhytm collector through NLS.

Practically I want to see syslog messages from linux and network devices (arriving to default port 5544 on NLS1) and windows event logs (arriving to NLS1:3515) in NLS2 in correct parsed records.
I tried simple udp output, but it converted event logs to syslogs and they were not parsed correctly. How should I set filters and output to get this working?

Thank you,
Michal

[mcapra]

I discussed some of these topics in this thread:
https://support.nagios.com/forum/viewto ... 37&t=41560

I'll first point out where the sneaky Output rules are hidden:



Assuming port 9300 on the "destination" machine is listening, which is what Elasticsearch uses for the 'transport' protocol, this is the minimum of what you would need for an Output rule:

Code: Select all

elasticsearch {
        cluster => 'destination_cluster_id-here'
        host => 'destination_host_here'
        document_type => '%{type}'
        protocol => 'transport'
        workers => 4
    }

If you wanted extra logic to only forward linux/network logs, the logic could look something like this:

Code: Select all

if [type] in ["linux_things", "network_things"] {
   elasticsearch {
        cluster => 'destination_cluster_id-here'
        host => 'destination_host_here'
        document_type => '%{type}'
        protocol => 'transport'
        workers => 4
    }
}

Sending it directly to another Elasticsearch cluster should preserve any filter/input rules previously applied, so you wouldn't neccesarily need to double-up on the work in regards to parsing.