trying to get logs from my netscaler

[benhank]

I an trying to get logs from my netscalers, but so far they aren't coming over.
The devices are configured to send over tcp to port 5560 and I have the following filters set up:

Code: Select all

syslog {
    type => "netscaler"
    port => "5560"
}

if [type] == 'netscaler'{
grok {
                                break_on_match => true
                                match => [
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:vserver_ip}:%{POSINT:vserver_port} - %{DATA} %{IP:nat_ip}:%{POSINT:nat_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:DELINK_DATE}:%{TIME:DELINK_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:START_DATE}:%{TIME:START_TIME} GMT - %{DATA} %{DATE_US:END_DATE}:%{TIME:END_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{INT:netscaler_spcbid} - %{DATA} %{IP:clientip} - %{DATA} %{INT:netscaler_client_port} - %{DATA} %{IP:netscaler_vserver_ip} - %{DATA} %{INT:netscaler_vserver_port} %{GREEDYDATA:netscaler_message} - %{DATA} %{WORD:netscaler_session_type}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message}"
                                ]
                        }
}

what do you guys suggest?

[cdienger]

Do you see traffic make it to the NLS machine if you run the following on the NLS command line:

Code: Select all

tcpdump -s 0 -i any port 5560 -nnX

?

Also make sure that the port is opened on the NLS side:

Code: Select all

iptables -I INPUT -p tcp --dport 5560 -j ACCEPT

Code: Select all

iptables -I INPUT -p udp --dport 5560 -j ACCEPT

[benhank]

here is a snippet of the result:

Code: Select all

        0x0020:  5011 0073 db11 0000                      P..s....
20:19:28.750434 IP 10.110.44.12.53546 > 172.22.3.187.5560: Flags [.], ack 2, win 32, length 0
        0x0000:  4500 0028 87ef 4000 fb06 1195 0a6e 2c0c  E..([email protected],.
        0x0010:  ac16 03bb d12a 15b8 2850 d527 53e6 b5c3  .....*..(P.'S...
        0x0020:  5010 0020 db64 0000 0000 0000 0000       P....d........
20:19:29.328796 IP 10.110.44.12.9138 > 172.22.3.187.5560: Flags [S], seq 340739177, win 8188, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
        0x0000:  4500 0034 2629 4000 fb06 734f 0a6e 2c0c  E..4&)@...sO.n,.
        0x0010:  ac16 03bb 23b2 15b8 144f 4469 0000 0000  ....#....ODi....
        0x0020:  8002 1ffc d6a6 0000 0204 05b4 0103 0308  ................
        0x0030:  0101 0402                          

[cdienger]

It looks like data is getting to the NLS machine so the next step would be to enable debugging for Logstash to see how things are getting processed.

Edit /etc/init.d/logstash and change line 64 from:

Code: Select all

DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS}"

to:

Code: Select all

DAEMON_OPTS="agent -f ${LS_CONF_DIR} -l ${LS_LOG_FILE} ${LS_OPTS} --debug"

and restart the service with:

Code: Select all

systemctl daemon-reload
service logstash restart

Let this run just long enough to allow NLS to process some events from the netscaler and then collect the /var/log/logstash/logstash.log file before reverting the config back. Please PM me a copy of the logstash.log.