hello everyone … i’m trying to configure logstash as a syslog receiver but i am having some problems understanding how i would classify incoming messages, so that i can later send them to the proper pipelines for processing
Let’s take a common use case where in the network we have Cisco IOS router and switches , Cisco ACI , Cisco WLC and ISE, then Checkpoint Firewalls , F5 load balancers etc …
generally those devices would all be sending logs to the syslog server IP port 514.
but how would we classify from where each message is coming from in order to send it to the specific processor ?
are we supposed to setup a different input queu for each processor (for example, different port ofn the syslog server so that for example, ACI goes to 192.168.10.10 port 5514 whole Checkpoint on port 5515? )
or is there an ip filter that says, if source IP is X send to ACI processor if Y send to checkpoint …
or what other options are there?
In case i want to use filebeat, then what do you do? it looks insanely complicated but i might be missing someting obvious…
i would be deploying on kubernetes, and hopefully i’d be able to support multi-tenancy, but the problem exists for a single tenant/customer as well