I am wondering if this is possible.... we are looking to have Log Server handle all firewall logs, which can be millions of entries per hour. I know LS will be able to handle this. For policy reasons, these logs needs to be redirected to another syslog system. Can Log Server collect all the logs and then redirect to another syslog tool? If so, can LS do some filtering before redirecting it (ie. we only want to send them "denied" entries)
Thanks!
Redirecting logs from Log server
Re: Redirecting logs from Log server
While I have not done this personally, there are a plethora of available outputs in the logstash community: http://logstash.net/docs/1.4.2/
The following looks like exactly what you want: http://logstash.net/docs/1.4.2/outputs/syslog
Outputs are processed one at a time - your first output is presumably set to output from Logstash to your local elasticsearch cluster. If you added a syslog output after it, Logstash would then send your logs to a specified syslog server.
Regarding how to filter before sending your logs outward - I am still looking into that. Let me know if the above is useful for you!
The following looks like exactly what you want: http://logstash.net/docs/1.4.2/outputs/syslog
Outputs are processed one at a time - your first output is presumably set to output from Logstash to your local elasticsearch cluster. If you added a syslog output after it, Logstash would then send your logs to a specified syslog server.
Regarding how to filter before sending your logs outward - I am still looking into that. Let me know if the above is useful for you!
Re: Redirecting logs from Log server
Thanks for pointing out the outputs. This will work, so I will add a syslog output for testing. If you have additional information on filtering, please let me know. Thank you.
Re: Redirecting logs from Log server
The only way that I could find to accomplish this is to use tags. This will work how you want it to - but according the logstash website:
First, we would define a filter for our Firewall1 traffic:
Please note that we have now tagged this traffic with 'someuniquetag'. Next, we'll define our syslog output:
Now any traffic that matches the output tag will be forwarded through that output. Since we tagged the traffic appropriately in the filter, Firewall1 traffic will be directed through the output. Let me know if this works for you!
We want to accomplish forwarding certain traffic out a certain output. Let's call that traffic 'Firewall1'.tags
DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
First, we would define a filter for our Firewall1 traffic:
Code: Select all
filter {
grok {
type => "firewall stuff"
pattern => "some pattern"
add_tag => "someuniquetag"
}
}Code: Select all
output {
syslog {
facility => "firewall 1"
host => "syslog.server"
port => 1337
severity => "debug"
tag => "someuniquetag"
}
}Re: Redirecting logs from Log server
This looks pretty straight forward, thanks! It will take a while for me to play around with this etc. Feel free to lock this up 
Re: Redirecting logs from Log server
Will do. Feel free to open a new thread if you need further help. Thank you!