This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: Saving logs to Logstash
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Saving logs to Logstash
Saving logs to Logstash
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-06-2014 05:07 PM
I am configuring my switches to save their logs to a central log server running Logstash. I had 2 questions regarding this. I'm using Summit switches.
1. Does anyone know which facility is used for what? That is, when I type "configure syslog add 10.0.0.1:514 vr vr-default" and hit tab, I get this list:
Remote syslog servers facility
"local0" "local1" "local2" "local3" "local4" "local5" "local6" "local7"
I've configured my switch to use all 8 of them, and it works, but do I need to do all 8?
2. Is anyone familiar enough with Logstash to know how to modify the syslog filter so that it can parse these messages: "11/06/2014 10:46:15.95 ...". I'm brand new to Logstash, so I don't know how it to plug in regular expressions to get the timestamp, priority, process name, and message (I can write the regex's just fine, just don't know how to plug them in).
Here's a regex real quick: (\d\d/\d\d/\d\d\d\d \d\d:\d\d:\d\d.\d\d) <(\w+):(\w+).(\w+)>(.*)
Match 1 is timestamp.
Match 2 is priority.
Match 3 is process name.
Match 4 is part of the message I guess.
Match 5 is the message.
The timestamp needs to be in what Logstash calls Grok format, something like "MM/dd/yyyy hh??ss.??". Anyway, I'm reading about this now, I was just hoping maybe someone might've already done this and I could piggyback.
Thanks.
1. Does anyone know which facility is used for what? That is, when I type "configure syslog add 10.0.0.1:514 vr vr-default" and hit tab, I get this list:
"local0" "local1" "local2" "local3" "local4" "local5" "local6" "local7"
I've configured my switch to use all 8 of them, and it works, but do I need to do all 8?
2. Is anyone familiar enough with Logstash to know how to modify the syslog filter so that it can parse these messages: "11/06/2014 10:46:15.95 ...". I'm brand new to Logstash, so I don't know how it to plug in regular expressions to get the timestamp, priority, process name, and message (I can write the regex's just fine, just don't know how to plug them in).
Here's a regex real quick: (\d\d/\d\d/\d\d\d\d \d\d:\d\d:\d\d.\d\d) <(\w+):(\w+).(\w+)>(.*)
Match 1 is timestamp.
Match 2 is priority.
Match 3 is process name.
Match 4 is part of the message I guess.
Match 5 is the message.
The timestamp needs to be in what Logstash calls Grok format, something like "MM/dd/yyyy hh??ss.??". Anyway, I'm reading about this now, I was just hoping maybe someone might've already done this and I could piggyback.
Thanks.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-22-2020 02:08 PM
Hi,
Did u manage to make your logstash works ?
Regards
Rija
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-06-2014 09:00 PM
Eventually my syslog server is going to be collecting logs from around 200-400 devices. I am familiar with Splunk but I expect I'll hit the data caps that will make it more expensive than I can afford. Because of that I've stayed away from actually trying it out.
From what I know about Logstash (and Elasticsearch and Kibana), it is as capable as Splunk, but like a lot of opensource products the ease of use, training and documentation is slim, pushing free users to become customers. In the meantime, I have far more than I had before. If I ever do figure out how to get Logstash to intelligently parse the EXOS logs I'll leave a message here with how I did that. Thanks for the information.
From what I know about Logstash (and Elasticsearch and Kibana), it is as capable as Splunk, but like a lot of opensource products the ease of use, training and documentation is slim, pushing free users to become customers. In the meantime, I have far more than I had before. If I ever do figure out how to get Logstash to intelligently parse the EXOS logs I'll leave a message here with how I did that. Thanks for the information.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-06-2014 07:36 PM
Hi James,
I'm not very familiar with logstash, but you may be interested in looking at Splunk. It's very easy to set up and configure and may not be as picky about formatting. It provides facilities for building your own dashboards and reports by clicking fields you want to watch - less RegEx!
The local0-local7 options are so that you can group filters and log level configurations. If you only want certain sets of data to be sent to a particular target, you can configure that from the switch and then only send that "filtered" data to your syslog target. As you've discovered, you generally only need one of them.
If you do decide to try Splunk, the Extreme Networks EXOS for Splunk app may also be of interest if your Extreme gear can run EXOS 15.4+. It doesn't analyze "real-time" data, but rather provides an overview of network and device status based on reports through a configurable reporting frequency, part of the EXOS Proactive Service Framework. Full setup instructions are included in the app's readme file.
I hope this helps!
-Drew
I'm not very familiar with logstash, but you may be interested in looking at Splunk. It's very easy to set up and configure and may not be as picky about formatting. It provides facilities for building your own dashboards and reports by clicking fields you want to watch - less RegEx!
The local0-local7 options are so that you can group filters and log level configurations. If you only want certain sets of data to be sent to a particular target, you can configure that from the switch and then only send that "filtered" data to your syslog target. As you've discovered, you generally only need one of them.
If you do decide to try Splunk, the Extreme Networks EXOS for Splunk app may also be of interest if your Extreme gear can run EXOS 15.4+. It doesn't analyze "real-time" data, but rather provides an overview of network and device status based on reports through a configurable reporting frequency, part of the EXOS Proactive Service Framework. Full setup instructions are included in the app's readme file.
I hope this helps!
-Drew
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
11-06-2014 06:20 PM
Well, I think I figured out that by configuring all 8 local levels I'm getting 8 copies of log messages. So I only need one of those.
I eventually gave up on the Logstash thing. I did figure out that it uses a grok filter, but I'm going to need more time to figure out how it works. I also figured out that I'm getting enough information that it's useful the way it is.
I eventually gave up on the Logstash thing. I did figure out that it uses a grok filter, but I'm going to need more time to figure out how it works. I also figured out that I'm getting enough information that it's useful the way it is.
