How to push Syslog to ELK ?

cgovind · December 7, 2021, 10:51pm

We need to push Syslog to ELK, so that we can have end-to-end message flow dashboard.

Tamimi · December 8, 2021, 4:23pm

Hey @cgovind ! There are a couple of threads in the community previously posted about ELK - were you able to check them out? here is a link for the search query https://solace.community/search?query=ELK&scope=site&Search=ELK.

We also have a blog post by @arih that could be helpful! https://solace.com/blog/integrating-solace-with-logstash/

Let us know if you were not able to find the answers there

arih · December 8, 2021, 10:22pm

Hi @cgovind ,

Are you trying to push Solace brokers’ log via syslog to ELK? If so, these links should help:

And then you’ll need to take care of syslog input for the Logstash: Syslog input plugin | Logstash Reference [8.17] | Elastic

But, let us know more details what you want to achieve if that is not the case.

cgovind · December 8, 2021, 11:57pm

Hi Arih,

I am familiar with syslog forwarding to Splunk, and am expecting the same integration to ELK. Is it possible to do that way.

Paulus · December 9, 2021, 12:59am

HI @cgovind ,
Adding to answers above. At Solace end you can configure syslog forwarding to any syslog listener.
As you did for Splunk, at Solace brokers, the configuration is the same, you will just need to define the destination (ip, port, tcp/udp).

The syslog format from Solace is RFC3164. You can find the details here: Monitoring Using Syslog

At ELK, you will need to configure the Logstash component to listen for syslog (input) and send to Elasticsearch (output).

You can find the guide to write the logstash from the link provided from earlier answers. You can create the logstash pipeline according to your need.

If you need an example, you can try this logstash configuration:

input {
  syslog {
    ecs_compatibility => "disabled"
    port => 514
    timezone => "Asia/Singapore"
  }
}

filter {
  if [facility_label] == "local3" or [facility_label] == "local4" {
    grok {
      match => { "message" => "%{NOTSPACE:event_type}: %{NOTSPACE:event_name}: (?:%{NOTSPACE:vpn_name}) (?:%{NOTSPACE:client_name}) %{GREEDYDATA:message}" }
      overwrite => [ "message" ]
    }
  }
  date {
    match => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
    timezone => "Asia/Singapore"
  }
}

output {
  elasticsearch {
    hosts => [ "http://elasticsearch:9200" ]
    user => "elastic"
    password => "${VARIABLE_OF_YOUR_ELASTIC_PASSWORD}"
  }
  stdout { codec => rubydebug }
}

cgovind · December 9, 2021, 2:01am

Thanks Paul, for the clarity and will try to go with your instructions.

Topic		Replies	Views
Solace broker and ELK integration Connectors & Integrations	8	782	November 30, 2020
Integrating Solace PubSub+ with Logstash Connectors & Integrations logs , integration , logstash , elastic	9	31241	September 30, 2021
How to forward PubSub+ Event Broker services logs to a Syslog server Training, Tips and Tricks	0	202	September 28, 2020
Logstash input and output plugins for Solace Connectors & Integrations jcsmp , logstash	0	682	July 25, 2021
How to send application log to a Solace queue General Discussions	13	703	March 3, 2021

How to push Syslog to ELK ?

Related topics