网络设备syslog推送配置
2019-03-18 本文已影响0人
F7bonacci
- cisco交换机
logging host 10.100.18.18 transport udp port 5002
- h3c交换机
info-center enable
info-center source default channel 2 trap state off
info-center loghost 10.100.18.18 port 5003
- 华为交换机(默认端口udp514)
info-center enable
info-center loghost 10.100.18.18
info-center timestamp log short-date
info-center timestamp trap short-date
elk配置
Logstash 的配置
- /opt/elk/logstash-6.2.4/config/network.conf
input{
tcp {port => 5002 type => "Cisco"}
udp {port => 514 type => "HUAWEI"}
udp {port => 5002 type => "Cisco"}
udp {port => 5003 type => "H3C"}
}
filter {
if [type] == "Cisco"{
grok{
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{NUMBER:log_sequence}: .%{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:severity}-%{CISCO_REASON:mnemonic}: %{GREEDYDATA:message}" }
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{NUMBER:log_sequence}: %{SYSLOGTIMESTAMP:timestamp}: %%{DATA:facility}-%{POSINT:severity}-%{CISCO_REASON:mnemonic}: %{GREEDYDATA:message}" }
add_field => {"severity_code" => "%{severity}"}
overwrite => ["message"]
}
}
else if [type] == "H3C"{
grok {
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{YEAR:year} %{DATA:hostname} %%%{DATA:vvmodule}/%{POSINT:severity}/%{DATA:digest}: %{GREEDYDATA:message}" }
remove_field => [ "year" ]
add_field => {"severity_code" => "%{severity}"}
overwrite => ["message"]
}
}
else if [type] == "HUAWEI"{
grok {
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %%%{DATA:ddModuleName}/%{POSINT:severity}/%{DATA:Brief}:%{GREEDYDATA:message}"}
match => { "message" => "<%{BASE10NUM:syslog_pri}>%{SYSLOGTIMESTAMP:timestamp} %{DATA:hostname} %{DATA:ddModuleName}/%{POSINT:severity}/%{DATA:Brief}:%{GREEDYDATA:message}"}
remove_field => [ "timestamp" ]
add_field => {"severity_code" => "%{severity}"}
overwrite => ["message"]
}
}
mutate {
gsub => [
"severity", "0", "Emergency",
"severity", "1", "Alert",
"severity", "2", "Critical",
"severity", "3", "Error",
"severity", "4", "Warning",
"severity", "5", "Notice",
"severity", "6", "Informational",
"severity", "7", "Debug"
]
}
}
output{
# stdout { }
elasticsearch {
index => "syslog-%{+YYYY.MM.dd}"
hosts => ["your_ipaddress:9200"]
}
}
- /opt/elk/logstash-6.2.4/start-network.sh
nohup bin/logstash -f config/network-device.conf -l logs/networklog --path.data data/network > /dev/null 2>&1 &
