I have setup the Kiwi Syslog Server where I'm collecting the Sonicwalls Firewall traffic logs, but I want to access that logs through any API or want to send on elasticsearch. Is there any way to setup the logstash and elasticsearch to collect firewall logs from the kiwi syslog server where we are collecting the logs?
On
You can't send directly to elasticsearch, but you can configure Kiwi to forward the logs to another place, if you configure logstash to receive this log you can then send it to elasticsearch.
You can use the udp, tcp or syslog input to do this, the main difference is that using the syslog input it will help with the parsing, but the syslog message must follows the format specified in the RFC, I'm not sure if this is the case with Kiwi.
To use the syslog input you just need a configuration like this one.
input {
syslog {
port => "port-to-listen-to"
}
}
output {
elasticsearch {
your-elasticsearch-output
}
}
In my opinion you have two options
let Logstash read txt file output of the kiwi syslog server
Use the Logstash Syslog input and have Logstash listen for syslog events, process them and send them to Elasticsearch [Info on the Logstash Syslog input can be found here]