Syslog Dashboard enrichement #2238
Replies: 2 comments 1 reply
-
|
I would assume the syslog is not being parsed as expected. Are you able to locate the data by searching within Discover? As far as the list of devices you mentioned, you can create your own custom dashboards in Kibana, using fields from the events. |
Beta Was this translation helpful? Give feedback.
-
|
Hello Wes, I can see the data in discover. I will post some of them the number between <> is the syslog priority And the log.source.address is recorded as IP address and port When I look at the parser it normally parses the hostname, right? https://github.com/Security-Onion-Solutions/securityonion/blob/master/salt/elasticsearch/files/ingest/syslog I'll be honest, I've never written a parser before, but I'm now looking for all the information about it, so I can start with it. I have tried to create a grok for the syslog of the router
The result is not yet perfect, but i found the developers tools in the elastic features
I am now trying to remove the Src =, Dst = and Protocol = from the result. But no luck till now Regards |
Beta Was this translation helpful? Give feedback.
-
|
I don't know if it's of any help, but you might want to take a look at the ingest pipeline I posted in #5251 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
hello,
Can there be created a list whith hostnames that are forwarding logs?
This is useful if you need to search a specific host's logs for a specific moment.
On this moment I am using syslog only for routers, switches and printers. I can not change the syslog output of these devices.
On the syslog dashbord, none of the sub-screens have data .
Regards
Bart
Beta Was this translation helpful? Give feedback.
All reactions