What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

ASUSWRT-Merlin syslog interface with ELK Stack

WQ6N

Occasional Visitor
With a little research and luck I managed to configure the syslog output of the AC5300 to interface with the opensource SIEM ELK Stack (currently called Elastic Stack). I have ELK indexes for OSSEC, Filebeat, Winlogbeat and Logstash. The AC5300 syslog interfaces with the Logstash type "syslog".

select portions of /etc/logstash/conf.d/logstash.conf

input {
udp {
port => "5140"
type => "syslog"
}
file {
type => "ossec-alerts"
path => "/var/ossec/logs/alerts/alerts.json"
codec => "json"
}
beats {
port => "5044"
}
}

Filter...

output {
if [type] == "ossec-alerts" {
elasticsearch {
hosts => ["localhost:9200"]
index => "ossec-%{+YYYY.MM.dd}"
document_type => "ossec"
template => "/etc/logstash/elastic-ossec-template.json"
template_name => "ossec"
template_overwrite => true
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}

As one can see, I had to set the log_port to 5140 via the 'nvram set' in order to get things working. I would be neat to get the geoip mapping to work down stream. This is an extremely busy filter. Here is a 2 minute slice of Kibana.
 

Attachments

  • ELK-01apr17-Capture-clean.jpg
    ELK-01apr17-Capture-clean.jpg
    54.9 KB · Views: 1,435

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top