Has anyone used Clearpass Syslog Targets with the ELK (Elasticsearch, Logstash, and Kibana) Stack?
I'm getting data into ELK by using the SYSLOG Splunk export filters provided in the Splunk Integration Guide and the following Logstash configuration:
I'm wondering if anyone has created a Kibana dashboard to analyze the results.
Thanks.
input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
}
filter {
if [type] == "syslog" and [message] =~ "CPPM" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{TIMESTAMP_ISO8601:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} %{POSINT:syslog_pid} 1 0 %{GREEDYDATA:syslog_message}" }
}
kv {
source => "syslog_message"
field_split => ","
prefix => "CPPM_"
add_tag => "CPPM, grokkd"
}
}
else if [type] == "syslog" {
grok {
match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
}
}
}
output {
if [type] == "syslog" and "_grokparsefailure" in [tags] {
file { path => "/tmp/failed_syslog_events-%{+YYYY-MM-dd}" }
}
else {
elasticsearch { host => "localhost" }
}