Install syslog agent

  • We will add an agent to manage the syslogs ingestion

  • In Kibana, create an agent policy

    • Management -> Fleet -> Agent policies -> Create agent policy

    • Call it Syslog Agent

    • Uncheck “Collect system logs and metrics”

    • Keep the defaults otherwise

    • When it’s created, click on the 3 dots under Actions for your new policy, and select View policy

      • Note the id (it will be in a GUID format, e.g. a8944404-e5a7-4675-b9e4-e3814e3abebb)
  • In Kibana, take note of the enrollment token for new policy:

    • Management -> Fleet -> Enrollment tokens

    • Find the Default token for your new Agent policy

    • Make note of the token secret (it will be as a Base64 string, e.g. RWpJay1aWUJrODlFcWpQLVpWc1M6emEwOEhQZVNUNnVPQXZCSTc2SGRjQQ==)

  • Create a new agent with the agent policy and enrollment token

  • Add the Syslog integration to your Syslog Agent policy

    • Management -> Fleet -> Agent policies -> Syslog Agent -> Add integration

    • Search for “Custom UDP Logs” and click Add Custom UDP Logs

    • Change the defaults:

      • Listen Address: 0.0.0.0

      • Listen Port: 5514

      • Dataset name: syslog

      • Syslog Parsing: enabled

    • Save and continue, applying to the Syslog Agent policy and deploying to the agent.

  • Test syslog functionality from within the cluster

      # Spin up a temporary pod to run the test from
      kubectl run syslog-test --image=nicolaka/netshoot -it --rm --restart=Never -- bash
        
      # Send a syslog message to our syslog-agent - this will hang
      logger -n syslog-service.elastic-stack.svc.cluster.local -P 5514 "Test message from within the cluster"
    
    • Look for the message in Kibana -> Discover:

      • Search for message: "test message"
  • Set up a DNS entry for your syslog endpoint

    • Traefik won’t do this for you, since syslog is a UDP endpoint

    • Find your cluster IP address:

        kubectl get nodes -o jsonpath='{.items[0].status.addresses}'
      
    • Create a DNS A record and test it resolves

  • Test syslog functionality from without the cluster

    • I tested from WSL on a Windows host
      logger -n YOUR_DNS_A_RECORD_FROM_ABOVE -P 5514 "Test message from outside the cluster"
    

Configure Syslog Sources

This will be on a source-by-source basis. An example from Mikrotik: Mikrotik - Syslog with Elasticsearch

Leave a comment

Your email address will not be published. Required fields are marked *

Loading...