WQ6N
Occasional Visitor
With a little research and luck I managed to configure the syslog output of the AC5300 to interface with the opensource SIEM ELK Stack (currently called Elastic Stack). I have ELK indexes for OSSEC, Filebeat, Winlogbeat and Logstash. The AC5300 syslog interfaces with the Logstash type "syslog".
select portions of /etc/logstash/conf.d/logstash.conf
input {
udp {
port => "5140"
type => "syslog"
}
file {
type => "ossec-alerts"
path => "/var/ossec/logs/alerts/alerts.json"
codec => "json"
}
beats {
port => "5044"
}
}
Filter...
output {
if [type] == "ossec-alerts" {
elasticsearch {
hosts => ["localhost:9200"]
index => "ossec-%{+YYYY.MM.dd}"
document_type => "ossec"
template => "/etc/logstash/elastic-ossec-template.json"
template_name => "ossec"
template_overwrite => true
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
As one can see, I had to set the log_port to 5140 via the 'nvram set' in order to get things working. I would be neat to get the geoip mapping to work down stream. This is an extremely busy filter. Here is a 2 minute slice of Kibana.
select portions of /etc/logstash/conf.d/logstash.conf
input {
udp {
port => "5140"
type => "syslog"
}
file {
type => "ossec-alerts"
path => "/var/ossec/logs/alerts/alerts.json"
codec => "json"
}
beats {
port => "5044"
}
}
Filter...
output {
if [type] == "ossec-alerts" {
elasticsearch {
hosts => ["localhost:9200"]
index => "ossec-%{+YYYY.MM.dd}"
document_type => "ossec"
template => "/etc/logstash/elastic-ossec-template.json"
template_name => "ossec"
template_overwrite => true
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
As one can see, I had to set the log_port to 5140 via the 'nvram set' in order to get things working. I would be neat to get the geoip mapping to work down stream. This is an extremely busy filter. Here is a 2 minute slice of Kibana.