Description: |
|
|---|
AA-2892 : Configure Logstash to parse the logs from different Array devices
Review Request #887 — Created May 27, 2025 and submitted
| Information | |
|---|---|
| pmurugaiyan | |
| AMP | |
| amp_4_0 | |
| AA-2892 | |
| Reviewers | |
| apoorva.sn, prajesh, shuinvy | |
Configure Logstash to parse the logs from different Array devices
Telegraf - To collect the SNMP data and stores in InfluxDB
Logstash - To collect the syslog and output to ElasticSearch.
The changes has been tested locally.
Sample device log:
{
"_index": "acm-2025.05.27",
"_id": "PbksEZcBOkqgtT8RyYcD",
"_version": 1,
"_source": {
"syslog_message": "AN_WELF_LOG:id=OS time=\"2025-05-27 09:57:44\" fw=192.168.85.45 pri=6 proto=http src=192.168.172.5 dstname=192.168.85.45 arg=/dvwa/css/login.css op=GET agent=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\" result=200 sent=1001 duration=0.000 msg=\"cache:TCP_MISS peer:DIRECT/192.168.85.38\"",
"tags": [
"an_welf_log_rfc5424_subparsed",
"_grokparsefailure_msg",
"syslog_parsed",
"rfc5424"
],
"bytes_sent": "1001",
"http_result_code": "200",
"virtual_ip": "192.168.85.45",
"host": {
"ip": "192.168.85.101"
},
"useragent": {
"name": "Chrome",
"os": {
"name": "Mac OS X",
"full": "Mac OS X 10.15.7",
"version": "10.15.7"
},
"device": {
"name": "Mac"
},
"version": "136.0.0.0"
},
"severity_numeric": 6,
"priority": "6",
"device_ip": "192.168.85.101",
"device_group": "BLR",
"severity": "Informational",
"log_time": "2025-05-27 09:57:44",
"arg": "/dvwa/css/login.css",
"message": "<134>1 2025-05-27T15:27:44Z AN - - 100002221 - AN_WELF_LOG:id=OS time=\"2025-05-27 09:57:44\" fw=192.168.85.45 pri=6 proto=http src=192.168.172.5 dstname=192.168.85.45 arg=/dvwa/css/login.css op=GET agent=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\" result=200 sent=1001 duration=0.000 msg=\"cache:TCP_MISS peer:DIRECT/192.168.85.38\"\u0000",
"client_ip": "192.168.172.5",
"@timestamp": "2025-05-27T09:57:17.031799505Z",
"syslog_priority": "134",
"syslog_timestamp": "2025-05-27T15:27:44Z",
"log_facility": "Local0",
"@version": "1",
"operation": "GET",
"device_type": "vAPV",
"syslog_version": "1",
"log_facility_numeric": 16,
"event": {
"original": "<134>1 2025-05-27T15:27:44Z AN - - 100002221 - AN_WELF_LOG:id=OS time=\"2025-05-27 09:57:44\" fw=192.168.85.45 pri=6 proto=http src=192.168.172.5 dstname=192.168.85.45 arg=/dvwa/css/login.css op=GET agent=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\" result=200 sent=1001 duration=0.000 msg=\"cache:TCP_MISS peer:DIRECT/192.168.85.38\"\u0000"
},
"protocol": "http",
"message_detail_raw": "cache:TCP_MISS peer:DIRECT/192.168.85.38",
"device_hostname": "AN",
"message_id": "100002221",
"type": "syslog",
"device_name": "vAPV1",
"destination_name": "192.168.85.45",
"log_id": "OS",
"duration_seconds": "0.000"
},
"fields": {
"useragent.os.version": [
"10.15.7"
],
"destination_name": [
"192.168.85.45"
],
"device_type": [
"vAPV"
],
"type": [
"syslog"
],
"syslog_version": [
"1"
],
"host.ip": [
"192.168.85.101"
],
"device_name": [
"vAPV1"
],
"protocol": [
"http"
],
"device_hostname": [
"AN"
],
"log_facility": [
"Local0"
],
"log_facility_numeric": [
16
],
"syslog_timestamp": [
"2025-05-27T15:27:44.000Z"
],
"arg": [
"/dvwa/css/login.css"
],
"useragent.version": [
"136.0.0.0"
],
"@version": [
"1"
],
"client_ip": [
"192.168.172.5"
],
"syslog_priority": [
"134"
],
"useragent.device.name": [
"Mac"
],
"message_detail_raw": [
"cache:TCP_MISS peer:DIRECT/192.168.85.38"
],
"duration_seconds": [
"0.000"
],
"severity": [
"Informational"
],
"log_id": [
"OS"
],
"useragent.os.full": [
"Mac OS X 10.15.7"
],
"event.original": [
"<134>1 2025-05-27T15:27:44Z AN - - 100002221 - AN_WELF_LOG:id=OS time=\"2025-05-27 09:57:44\" fw=192.168.85.45 pri=6 proto=http src=192.168.172.5 dstname=192.168.85.45 arg=/dvwa/css/login.css op=GET agent=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\" result=200 sent=1001 duration=0.000 msg=\"cache:TCP_MISS peer:DIRECT/192.168.85.38\"\u0000"
],
"device_group": [
"BLR"
],
"message_id": [
"100002221"
],
"useragent.name": [
"Chrome"
],
"useragent.os.name": [
"Mac OS X"
],
"severity_numeric": [
6
],
"message": [
"<134>1 2025-05-27T15:27:44Z AN - - 100002221 - AN_WELF_LOG:id=OS time=\"2025-05-27 09:57:44\" fw=192.168.85.45 pri=6 proto=http src=192.168.172.5 dstname=192.168.85.45 arg=/dvwa/css/login.css op=GET agent=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\" result=200 sent=1001 duration=0.000 msg=\"cache:TCP_MISS peer:DIRECT/192.168.85.38\"\u0000"
],
"priority": [
"6"
],
"syslog_message": [
"AN_WELF_LOG:id=OS time=\"2025-05-27 09:57:44\" fw=192.168.85.45 pri=6 proto=http src=192.168.172.5 dstname=192.168.85.45 arg=/dvwa/css/login.css op=GET agent=\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36\" result=200 sent=1001 duration=0.000 msg=\"cache:TCP_MISS peer:DIRECT/192.168.85.38\""
],
"bytes_sent": [
"1001"
],
"log_time": [
"2025-05-27 09:57:44"
],
"tags": [
"an_welf_log_rfc5424_subparsed",
"_grokparsefailure_msg",
"syslog_parsed",
"rfc5424"
],
"virtual_ip": [
"192.168.85.45"
],
"device_ip": [
"192.168.85.101"
],
"@timestamp": [
"2025-05-27T09:57:17.031Z"
],
"http_result_code": [
"200"
],
"operation": [
"GET"
]
}
}
Testing Done: |
|
|---|
