From f0d42611b8858e0b61869b47c6d22de282d7954c Mon Sep 17 00:00:00 2001
From: Ashutosh Garg <54442952+datacore-ashutosh@users.noreply.github.com>
Date: Wed, 30 Jul 2025 11:07:05 -0400
Subject: [PATCH] Syslog scripts for use with Elastic Search and Splunk

---
 SANsymphony/Syslog/DataCore_RFC3164.conf | 75 ++++++++++++++++++++++
 SANsymphony/Syslog/DataCore_RFC5424.conf | 82 ++++++++++++++++++++++++
 2 files changed, 157 insertions(+)
 create mode 100644 SANsymphony/Syslog/DataCore_RFC3164.conf
 create mode 100644 SANsymphony/Syslog/DataCore_RFC5424.conf

diff --git a/SANsymphony/Syslog/DataCore_RFC3164.conf b/SANsymphony/Syslog/DataCore_RFC3164.conf
new file mode 100644
index 0000000..774044d
--- /dev/null
+++ b/SANsymphony/Syslog/DataCore_RFC3164.conf
@@ -0,0 +1,75 @@
+# input information to receive data from DataCore Sever
+# DataCore -> Server Group -> Settings -> Syslog Settings -> UDP port  -> Example: 516
+
+input {
+  udp {
+    port => 514
+    type => syslog
+  }
+}
+
+# filter for RFC3164
+# DataCore -> Server Group -> Settings -> Syslog Settings -> RFC Format -> Example: RFC3164
+filter {
+  # these are the fields from the syslog messages being sent - we do not specifically care about these
+    # these fields are in reference to the syslog messages, not the specific DataCore Server
+  mutate{
+    remove_field => ["@timestamp","@version","event","type","host"]
+  }
+
+  # The raw string from DataCore Server "message" is parsed specifically for the RFC Format
+  # List of extracted fields:
+    # msgtype: tranlates to Event Info Severity
+    # facility:
+    # timestamp: this is the time from the DataCore Server event log
+    # hostname: refers to the specific DataCore Server that the message is populated from
+    # appname: defaults to DataCore_SANsymphony
+  grok {
+    # filter for RFC3164
+    match => {"message" => "<%{DATA:msgtype}>%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:hostname} %{WORD:appname}:%{GREEDYDATA:syslog_msg}"}
+  }
+  # the following operations are used to clean up the data and make it into human readable output:
+  
+      # msgtype: tranlates to Event Info Severity; given as an integer, translate into Info, Warning, or Error
+      if [msgtype] == "14" {
+        mutate {
+          add_field => { "severity" => "INFO" }
+        }
+      }
+      if [msgtype] == "12" {
+        mutate {
+          add_field => { "severity" => "WARNING" }
+        }
+      }
+      if [msgtype] == "11" {
+        mutate {
+          add_field => { "severity" => "ERROR" }
+        }
+      }
+
+      mutate {
+        remove_field => ["msgtype","message"]
+      }
+}
+
+
+# output: where to send this data
+output {
+
+  # for this example we are using an elastic search instance from the ELK stack
+  elasticsearch {
+      hosts => "ELASTIC SEARCH_IP"
+      index => "syslog_5424"
+      user => "elastic"
+      manage_template => false
+  }
+
+  # simultenously, the data can also be sent via UDP port to a tool such as SPLUNK
+  udp {
+      host => "HOST_IP"
+      port => 514
+    }
+
+  # standard output for local instance - debugging
+  stdout { codec => rubydebug }
+}
\ No newline at end of file
diff --git a/SANsymphony/Syslog/DataCore_RFC5424.conf b/SANsymphony/Syslog/DataCore_RFC5424.conf
new file mode 100644
index 0000000..72bf53d
--- /dev/null
+++ b/SANsymphony/Syslog/DataCore_RFC5424.conf
@@ -0,0 +1,82 @@
+# input information to receive data from DataCore Sever
+# DataCore -> Server Group -> Settings -> Syslog Settings -> UDP port  -> Example: 516
+
+input {
+  udp {
+    port => 514
+    type => syslog
+  }
+}
+
+# filter for RFC5424
+# DataCore -> Server Group -> Settings -> Syslog Settings -> RFC Format -> Example: RFC5424
+filter {
+  # these are the fields from the syslog messages being sent - we do not specifically care about these
+    # these fields are in reference to the syslog messages, not the specific DataCore Server
+  mutate{
+    remove_field => ["@timestamp","@version","event","type","host"]
+  }
+
+  # The raw string from DataCore Server "message" is parsed specifically for the RFC Format
+  # List of extracted fields:
+    # msgtype: tranlates to Event Info Severity
+    # facility:
+    # timestamp: this is the time from the DataCore Server event log
+    # hostname: refers to the specific DataCore Server that the message is populated from
+    # appname: defaults to DataCoreSANsymphony
+  grok {
+      match => { "message" => "<%{DATA:msgtype}>%{WORD:facility} %{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostname} %{WORD:appname} %{DATA} %{DATA} %{DATA} %{GREEDYDATA:syslog_msg}" }
+    }
+
+  # the following operations are used to clean up the data and make it into human readable output:
+      date {
+        match => [ "timestamp", "ISO8601" ]
+      }
+
+      # msgtype: tranlates to Event Info Severity; given as an integer, translate into Info, Warning, or Error
+      if [msgtype] == "14" {
+        mutate {
+          add_field => { "severity" => "INFO" }
+        }
+      }
+      if [msgtype] == "12" {
+        mutate {
+          add_field => { "severity" => "WARNING" }
+        }
+      }
+      if [msgtype] == "11" {
+        mutate {
+          add_field => { "severity" => "ERROR" }
+        }
+      }
+
+      # this removed the ? in some of the fields
+      mutate {
+        gsub => [
+          "syslog_msg", "^.", ""
+        ]
+        remove_field => ["msgtype","facility","message","timestamp"]
+      }
+}
+
+
+# output: where to send this data
+output {
+
+  # for this example we are using an elastic search instance from the ELK stack
+  elasticsearch {
+      hosts => "ELASTIC SEARCH_IP"
+      index => "syslog_5424"
+      user => "elastic"
+      manage_template => false
+  }
+
+  # simultenously, the data can also be sent via UDP port to a tool such as SPLUNK
+  udp {
+      host => "HOST_IP"
+      port => 514
+    }
+
+  # standard output for local instance - debugging
+  stdout { codec => rubydebug }
+}
\ No newline at end of file