Anyone sourcing from beats

newer
match filter scale issue

older
SYSLOG-NG issue with ES 6.X

Evan Rempel

10 Jan 2018 10 Jan '18

9:42 p.m.

Looking for a clean way to get beats products to send data to syslog-ng. Does anyone have a working example? -- Evan

Show replies by date

Scot

11 Jan 11 Jan

1:47 a.m.

Posted in thread. Re: Re: [syslog-ng] Syslog-ng input for beats ? [SUMMARY01] On Wed, Jan 10, 2018 at 4:42 PM, Evan Rempel <erempel@uvic.ca> wrote:

...

Looking for a clean way to get beats products to send data to syslog-ng.

Does anyone have a working example?

-- Evan

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Laszlo Budai

5:43 a.m.

Hi, you mean Elastic Beats? Could you share your use case in more details(what kind of beats you would like to use, and so on)? regards, Laszlo Budai Get Outlook for iOS<https://aka.ms/o0ukef> ________________________________ From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Scot <scotrn@gmail.com> Sent: Thursday, January 11, 2018 2:47:52 AM To: Syslog-ng users' and developers' mailing list Subject: Re: [syslog-ng] Anyone sourcing from beats Posted in thread. Re: Re: [syslog-ng] Syslog-ng input for beats ? [SUMMARY01] On Wed, Jan 10, 2018 at 4:42 PM, Evan Rempel <erempel@uvic.ca<mailto:erempel@uvic.ca>> wrote: Looking for a clean way to get beats products to send data to syslog-ng. Does anyone have a working example? -- Evan ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Evan Rempel

5:23 p.m.

At the moment I am focused on winlogbeats. The latest releases of winlogbeats don't have a streaming json output. This means that the json parser will not accept the raw data. I will also want to use filebeat as well. I would be happy with a way for syslog-ng to consume any of the output formats of the Elastic Beats family. The list is Elasticsearch Logstash Kafka Redis My understanding is that Logstash is really the lumberjack protocol version 2. I think that the only 2 realistic formats for consumption by syslog-ng would be Logstash or Kafka. The Elasticsearch protocol is over http(s) which is not a good fit for syslog-ng input. Evan. On 01/10/2018 09:43 PM, Laszlo Budai wrote:

...

Hi,

you mean Elastic Beats? Could you share your use case in more details(what kind of beats you would like to use, and so on)?

regards, Laszlo Budai

Get Outlook for iOS <https://aka.ms/o0ukef> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- *From:* syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Scot <scotrn@gmail.com> *Sent:* Thursday, January 11, 2018 2:47:52 AM *To:* Syslog-ng users' and developers' mailing list *Subject:* Re: [syslog-ng] Anyone sourcing from beats Posted in thread.

Re: Re: [syslog-ng] Syslog-ng input for beats ? [SUMMARY01]

On Wed, Jan 10, 2018 at 4:42 PM, Evan Rempel <erempel@uvic.ca <mailto:erempel@uvic.ca>> wrote:

Looking for a clean way to get beats products to send data to syslog-ng.

Does anyone have a working example?

-- Evan

Czanik, Péter

8:40 a.m.

Hi, Beats can send logs either to Logstash, Elasticsearch or Kafka. I gave the protocol used with Elasticsearch a try, but it does not work unfortunately. It's a two way protocol, so even if I got JSON sent by Beats parsed by syslog-ng, communication died quickly between the two. Finally I gave up and used Logstash between Beats and syslog-ng, just as Scot. My blog discusses extracting original syslog messages from messages collected by filebeat: https://www.balabit.com/blog/sending-logs-logstash-syslog-ng/ Other Beats messages should work similarly and you can most likely spare some of the dark magic employed :) Bye, Peter Czanik (CzP) <peter.czanik@balabit.com> Balabit / syslog-ng upstream https://www.balabit.com/blog/author/peterczanik/ https://twitter.com/PCzanik On Wed, Jan 10, 2018 at 10:42 PM, Evan Rempel <erempel@uvic.ca> wrote:

...

Looking for a clean way to get beats products to send data to syslog-ng.

Does anyone have a working example?

-- Evan

____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product= syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

2802

Age (days ago)

2803

Last active (days ago)

List overview

Download

4 comments

4 participants

participants (4)

Czanik, Péter
Evan Rempel
Laszlo Budai
Scot