Saving logs to Logstash

I am configuring my switches to save their logs to a central log server running Logstash. I had 2 questions regarding this. I'm using Summit switches.

1. Does anyone know which facility is used for what? That is, when I type "configure syslog add vr vr-default" and hit tab, I get this list:

Remote syslog servers facility
"local0" "local1" "local2" "local3" "local4" "local5" "local6" "local7"

I've configured my switch to use all 8 of them, and it works, but do I need to do all 8?

2. Is anyone familiar enough with Logstash to know how to modify the syslog filter so that it can parse these messages: "11/06/2014 10:46:15.95 [i]...". I'm brand new to Logstash, so I don't know how it to plug in regular expressions to get the timestamp, priority, process name, and message (I can write the regex's just fine, just don't know how to plug them in).

Here's a regex real quick: (\d\d/\d\d/\d\d\d\d \d\d:\d\d:\d\d.\d\d) <(\w+):(\w+).(\w+)>(.*)
Match 1 is timestamp.
Match 2 is priority.
Match 3 is process name.
Match 4 is part of the message I guess.
Match 5 is the message.

The timestamp needs to be in what Logstash calls Grok format, something like "MM/dd/yyyy hh🇲🇲ss.??". Anyway, I'm reading about this now, I was just hoping maybe someone might've already done this and I could piggyback.


3 replies

Well, I think I figured out that by configuring all 8 local levels I'm getting 8 copies of log messages. So I only need one of those.

I eventually gave up on the Logstash thing. I did figure out that it uses a grok filter, but I'm going to need more time to figure out how it works. I also figured out that I'm getting enough information that it's useful the way it is.
Userlevel 7
Hi James,
I'm not very familiar with logstash, but you may be interested in looking at Splunk. It's very easy to set up and configure and may not be as picky about formatting. It provides facilities for building your own dashboards and reports by clicking fields you want to watch - less RegEx!

The local0-local7 options are so that you can group filters and log level configurations. If you only want certain sets of data to be sent to a particular target, you can configure that from the switch and then only send that "filtered" data to your syslog target. As you've discovered, you generally only need one of them.

If you do decide to try Splunk, the Extreme Networks EXOS for Splunk app may also be of interest if your Extreme gear can run EXOS 15.4+. It doesn't analyze "real-time" data, but rather provides an overview of network and device status based on reports through a configurable reporting frequency, part of the EXOS Proactive Service Framework. Full setup instructions are included in the app's readme file.

I hope this helps!

Eventually my syslog server is going to be collecting logs from around 200-400 devices. I am familiar with Splunk but I expect I'll hit the data caps that will make it more expensive than I can afford. Because of that I've stayed away from actually trying it out.

From what I know about Logstash (and Elasticsearch and Kibana), it is as capable as Splunk, but like a lot of opensource products the ease of use, training and documentation is slim, pushing free users to become customers. In the meantime, I have far more than I had before. If I ever do figure out how to get Logstash to intelligently parse the EXOS logs I'll leave a message here with how I did that. Thanks for the information.