Forward firewall logs from kiwi syslog server to elasticsearch?

Question

I have setup the Kiwi Syslog Server where I'm collecting the Sonicwalls Firewall traffic logs, but I want to access that logs through any API or want to send on elasticsearch. Is there any way to setup the logstash and elasticsearch to collect firewall logs from the kiwi syslog server where we are collecting the logs?

score 0 · Answer 1 · answered May 04 '21 at 06:04

0

In my opinion you have two options

let Logstash read txt file output of the kiwi syslog server
- This will be the option if you do other things with the syslogs then sending them to Elasticsearch
Use the Logstash Syslog input and have Logstash listen for syslog events, process them and send them to Elasticsearch [Info on the Logstash Syslog input can be found here]
- This implies you get rid of Kiwi

answered May 04 '21 at 06:04

YouryDW

393
1
7

Thanks!! @YouryDW I'll try to do that. – ShyamBabu Sharma May 05 '21 at 06:43

score 0 · Answer 2 · answered May 04 '21 at 13:01

You can't send directly to elasticsearch, but you can configure Kiwi to forward the logs to another place, if you configure logstash to receive this log you can then send it to elasticsearch.

You can use the udp, tcp or syslog input to do this, the main difference is that using the syslog input it will help with the parsing, but the syslog message must follows the format specified in the RFC, I'm not sure if this is the case with Kiwi.

To use the syslog input you just need a configuration like this one.

input {
    syslog {
        port => "port-to-listen-to"
    }
}

output {
    elasticsearch {
        your-elasticsearch-output
    }
}

Thanks so much @leandrojmp. I'm trying to setup the logstash to collect the logs from the kiwi. — ShyamBabu Sharma, May 05 '21 at 06:44

Forward firewall logs from kiwi syslog server to elasticsearch?

2 Answers2