Page 1 of 1
Redirecting logs from Log server
Posted: Mon Mar 30, 2015 12:33 pm
by OptimusB
I am wondering if this is possible.... we are looking to have Log Server handle all firewall logs, which can be millions of entries per hour. I know LS will be able to handle this. For policy reasons, these logs needs to be redirected to another syslog system. Can Log Server collect all the logs and then redirect to another syslog tool? If so, can LS do some filtering before redirecting it (ie. we only want to send them "denied" entries)
Thanks!
Re: Redirecting logs from Log server
Posted: Tue Mar 31, 2015 10:08 am
by jolson
While I have not done this personally, there are a plethora of available outputs in the logstash community:
http://logstash.net/docs/1.4.2/
The following looks like exactly what you want:
http://logstash.net/docs/1.4.2/outputs/syslog
Outputs are processed one at a time - your first output is presumably set to output from Logstash to your local elasticsearch cluster. If you added a syslog output after it, Logstash would then send your logs to a specified syslog server.
Regarding how to filter before sending your logs outward - I am still looking into that. Let me know if the above is useful for you!
Re: Redirecting logs from Log server
Posted: Tue Mar 31, 2015 12:15 pm
by OptimusB
Thanks for pointing out the outputs. This will work, so I will add a syslog output for testing. If you have additional information on filtering, please let me know. Thank you.
Re: Redirecting logs from Log server
Posted: Tue Mar 31, 2015 12:55 pm
by jolson
The only way that I could find to accomplish this is to use tags. This will work how you want it to - but according the logstash website:
tags
DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
We want to accomplish forwarding certain traffic out a certain output. Let's call that traffic 'Firewall1'.
First, we would define a filter for our Firewall1 traffic:
Code: Select all
filter {
grok {
type => "firewall stuff"
pattern => "some pattern"
add_tag => "someuniquetag"
}
}
Please note that we have now tagged this traffic with 'someuniquetag'. Next, we'll define our syslog output:
Code: Select all
output {
syslog {
facility => "firewall 1"
host => "syslog.server"
port => 1337
severity => "debug"
tag => "someuniquetag"
}
}
Now any traffic that matches the output tag will be forwarded through that output. Since we tagged the traffic appropriately in the filter, Firewall1 traffic will be directed through the output. Let me know if this works for you!
Re: Redirecting logs from Log server
Posted: Wed Apr 01, 2015 12:36 pm
by OptimusB
This looks pretty straight forward, thanks! It will take a while for me to play around with this etc. Feel free to lock this up
Re: Redirecting logs from Log server
Posted: Wed Apr 01, 2015 12:55 pm
by jolson
Will do. Feel free to open a new thread if you need further help. Thank you!