Skip to content

Syslog scripts for use with Elastic Search and Splunk #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
datacore-ashutosh merged 1 commit into from
Jul 31, 2025
Merged

Syslog scripts for use with Elastic Search and Splunk #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions SANsymphony/Syslog/DataCore_RFC3164.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# input information to receive data from DataCore Sever
# DataCore -> Server Group -> Settings -> Syslog Settings -> UDP port -> Example: 516

input {
udp {
port => 514
type => syslog
}
}

# filter for RFC3164
# DataCore -> Server Group -> Settings -> Syslog Settings -> RFC Format -> Example: RFC3164
filter {
# these are the fields from the syslog messages being sent - we do not specifically care about these
# these fields are in reference to the syslog messages, not the specific DataCore Server
mutate{
remove_field => ["@timestamp","@version","event","type","host"]
}

# The raw string from DataCore Server "message" is parsed specifically for the RFC Format
# List of extracted fields:
# msgtype: tranlates to Event Info Severity
# facility:
# timestamp: this is the time from the DataCore Server event log
# hostname: refers to the specific DataCore Server that the message is populated from
# appname: defaults to DataCore_SANsymphony
grok {
# filter for RFC3164
match => {"message" => "<%{DATA:msgtype}>%{SYSLOGTIMESTAMP:timestamp} %{IPORHOST:hostname} %{WORD:appname}:%{GREEDYDATA:syslog_msg}"}
}
# the following operations are used to clean up the data and make it into human readable output:

# msgtype: tranlates to Event Info Severity; given as an integer, translate into Info, Warning, or Error
if [msgtype] == "14" {
mutate {
add_field => { "severity" => "INFO" }
}
}
if [msgtype] == "12" {
mutate {
add_field => { "severity" => "WARNING" }
}
}
if [msgtype] == "11" {
mutate {
add_field => { "severity" => "ERROR" }
}
}

mutate {
remove_field => ["msgtype","message"]
}
}


# output: where to send this data
output {

# for this example we are using an elastic search instance from the ELK stack
elasticsearch {
hosts => "ELASTIC SEARCH_IP"
index => "syslog_5424"
user => "elastic"
manage_template => false
}

# simultenously, the data can also be sent via UDP port to a tool such as SPLUNK
udp {
host => "HOST_IP"
port => 514
}

# standard output for local instance - debugging
stdout { codec => rubydebug }
}
82 changes: 82 additions & 0 deletions SANsymphony/Syslog/DataCore_RFC5424.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
# input information to receive data from DataCore Sever
# DataCore -> Server Group -> Settings -> Syslog Settings -> UDP port -> Example: 516

input {
udp {
port => 514
type => syslog
}
}

# filter for RFC5424
# DataCore -> Server Group -> Settings -> Syslog Settings -> RFC Format -> Example: RFC5424
filter {
# these are the fields from the syslog messages being sent - we do not specifically care about these
# these fields are in reference to the syslog messages, not the specific DataCore Server
mutate{
remove_field => ["@timestamp","@version","event","type","host"]
}

# The raw string from DataCore Server "message" is parsed specifically for the RFC Format
# List of extracted fields:
# msgtype: tranlates to Event Info Severity
# facility:
# timestamp: this is the time from the DataCore Server event log
# hostname: refers to the specific DataCore Server that the message is populated from
# appname: defaults to DataCoreSANsymphony
grok {
match => { "message" => "<%{DATA:msgtype}>%{WORD:facility} %{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:hostname} %{WORD:appname} %{DATA} %{DATA} %{DATA} %{GREEDYDATA:syslog_msg}" }
}

# the following operations are used to clean up the data and make it into human readable output:
date {
match => [ "timestamp", "ISO8601" ]
}

# msgtype: tranlates to Event Info Severity; given as an integer, translate into Info, Warning, or Error
if [msgtype] == "14" {
mutate {
add_field => { "severity" => "INFO" }
}
}
if [msgtype] == "12" {
mutate {
add_field => { "severity" => "WARNING" }
}
}
if [msgtype] == "11" {
mutate {
add_field => { "severity" => "ERROR" }
}
}

# this removed the ? in some of the fields
mutate {
gsub => [
"syslog_msg", "^.", ""
]
remove_field => ["msgtype","facility","message","timestamp"]
}
}


# output: where to send this data
output {

# for this example we are using an elastic search instance from the ELK stack
elasticsearch {
hosts => "ELASTIC SEARCH_IP"
index => "syslog_5424"
user => "elastic"
manage_template => false
}

# simultenously, the data can also be sent via UDP port to a tool such as SPLUNK
udp {
host => "HOST_IP"
port => 514
}

# standard output for local instance - debugging
stdout { codec => rubydebug }
}