Solace broker and ELK integration

Aaron · November 30, 2020, 12:58pm

Hi @Kinjal_Shah …! I have recently been playing around with Logstash again, reacquainting myself with it. Using the Integration PDF document you reference, I copied the two Appendices into two separate files… one for patterns, and one for config. I was able to get it working without too much issue. The one thing I changed was to add a specific link to the patterns file inside each grok block in the configuration. I think there’s probably a better way to do that, but I’m just trying to get it working.

So, for me: I have a patterns file (copied from appendix):

#
# TOP-LEVEL PATTERNS
#
SOLACE_REMOTE_COMMAND %{SYSLOG_PREAMBLE} %{SOLACE_MGMT_REMOTE_USER_INFO}\s*%{SOLACE_MGMT_EPILOGUE}
SOLACE_SHELL_COMMAND %{SYSLOG_PREAMBLE} %{SOLACE_MGMT_SHELL_USER_INFO}\s*%{SOLACE_MGMT_EPILOGUE}
SOLACE_EVENT_LOG %{SYSLOG_PREAMBLE} %{SOLACE_EVENT_EPILOGUE}
# .....[USERID]\[[PID]\]: [CMDSRC]/[ignored] \s* [CLIENT-ADDRESS]
# ..... devAdmin[14970]: SEMP/mgmt 14.140.217.68
# ..... admin[27647]: CLI/1 69.204.252.14
#
SOLACE_MGMT_REMOTE_USER_INFO %{SOLACE_MGMT_LOCAL_USER_INFO}/%{WORD}\s*%{IPORHOST:solace_client_address}

# ..... [USERID]\[[PID]\]: [CMDSRC] \s* [ignored] \s*
# ..... support[6528]: SHELL CLI/1
SOLACE_MGMT_SHELL_USER_INFO %{SOLACE_MGMT_LOCAL_USER_INFO}\s*%{NOTSPACE}

# ..... [USERID]\[[PID]\]: [CMDSRC]
# ..... rbc_devAdmin[14970]: SEMP/mgmt
# ..... support[6528]: SHELL
SOLACE_MGMT_LOCAL_USER_INFO %{DATA:syslog_userid}\[%{POSINT:syslog_pid}\]: %{WORD:solace_cmd_source}

# <[PRI]>[TIMESTAMP] [SERVERNAME]
# <142>Nov 18 21:30:05 demo-tr
SYSLOG_PREAMBLE <%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname}

# ..... [EVTAG] [SCOPE]: [EVENT_ID] : [MESSAGE]
# ..... event: SYSTEM: SYSTEM_AUTHENTICATION_SESSION_CLOSED: - - SEMP session (gory details etc.)
# ..... heinzvpnINFO: CLIENT: CLIENT_CLIENT_CLOSE_FLOW: kov perf-130-81/31733/#00000001 Client (702) (gory details etc.)
SOLACE_EVENT_EPILOGUE %{WORD:solace_event_log_tag}: %{WORD:solace_scope}: %{WORD:solace_event_id}: %{NOTSPACE:solace_vpn} %{NOTSPACE:solace_client} %{GREEDYDATA:solace_message}

# ..... [IGNORED] \s* [START]\s*[END] \s*[STATUS] [MESSAGE]
# ..... rbc_devAdmin 09:16:57 09:16:57 ok show queue (etc.)
# ..... admin 21:30:00 21:30:05 ok (config)# show syslog
# ..... admin --- --- --- (/usr/sw/jail/logs) tail -f command.log
SOLACE_MGMT_EPILOGUE %{WORD}\s*%{NOTSPACE:solace_cmd_start_time}\s*%{NOTSPACE:solace_cmd_end_time}\s*%{NOTSPACE:solace_cmd_status}\s*%{GREEDYDATA:solace_message}

And then I have the configuration file, which I modified to point to that patterns file:

input {
  tcp {
    port => "51420"
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    #### MGMT: command.log SEMP, CLI, SHELL
    if [message] =~ /: CLI\/|: SEMP\/|: SHELL/ {
      grok {
        patterns_dir => ["/etc/logstash/patterns"]
        match => { "message" => "%{SOLACE_REMOTE_COMMAND}" }
        match => { "message" => "%{SOLACE_SHELL_COMMAND}" }
        add_field => { "solace_event_id" => "MGMT_%{solace_cmd_source}" }
        add_field => { "solace_scope" => "MGMT" }
      }
    }
    ### EVENTS: event.log or system.log w/vpn-specific tagging
    else if [message] =~ / CLIENT:| VPN:| SYSTEM:/ {
      grok {
        patterns_dir => ["/etc/logstash/patterns"]
        match => { "message" => "%{SOLACE_EVENT_LOG}" }
      }
    }
    ### UNKNOWN: just parse the SYSLOG basics and force the rest into the solace_message field
    else {
      grok {
        patterns_dir => ["/etc/logstash/patterns"]
        match => { "message" => "%{SYSLOG_PREAMBLE} %{GREEDYDATA:solace_message}" }
        # Set solace fields so we can search for these cases
        add_field => { "solace_event_id" => "UNKNOWN" }
        add_field => { "solace_scope" => "UNKNOWN" }
      }
    }
    # Does the nasty parsing of the syslog_pri field into facility+severity
    # Have to wait til the SYSLOG_PREAMBLE has been grokked first
    syslog_pri {}
  }
}

output {
  #file { path => "/tmp/log_everything.log" }
  if [type] == "syslog" and "_grokparsefailure" in [tags] {
    file { path => "./logs/failed_syslog_events.log" }
  }
  elasticsearch {
    host => localhost
  }
}

Hopefully that helps! Let me know.

Topic		Replies	Views
How to push Syslog to ELK ? PubSub+ Event Broker	5	25137	December 9, 2021
Integrating Solace PubSub+ with Logstash Connectors & Integrations logs , integration , logstash , elastic	9	31247	September 30, 2021
Logstash input and output plugins for Solace Connectors & Integrations jcsmp , logstash	0	693	July 25, 2021
Is solace 10.11 compatible with log4j2 (v2.15)? PubSub+ Event Broker logs	2	15662	December 17, 2021
Graylog Content Pack Connectors & Integrations logs	3	595	January 26, 2021

Solace broker and ELK integration

Related topics