I tried the Logstash syslog example given in ELK page by making a slight change in logstash-syslog.conf from
input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
}
to
input {
stdin { }
}
and tried the given example but the output has only message, #version, #timestamp and host, But I also need
"received_at"
"received_from"
"syslog_severity_code"
"syslog_facility_code"
"syslog_facility"
"syslog_severity"
what have I done wrong? Can somebody help me out? Thanks in advance.
Found the mistake. It doesn't work that way with stdin{}.May be it needs an input from a client.
When I input the log with telnet client it works fine.
Related
I am trying to forward logs through two syslog-ng relay server, which adds the first relay server IP as a source and in my SIEM, I am seeing all logs are coming from the first syslog relay server.
Setup is below.
Client --> Syslog-Relay1 ---> Syslog-Relay2 ---> SIEM
In SIEM I am seeing all the log source as Syslog-Relay1. I have played with multiple option, but no hope yet. Any idea what I am missing here ? I am not finding any proper documents / forums which explains this setup. This we are looking to meet some specific log flow, in case if you have a question why I am trying to achieve this. Thanks in advance
Following is my configuration:
Syslog-Relay1
#version:3.5
#include "scl.conf"
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
# located in /etc/syslog-ng/conf.d/
options {
time-reap(30);
mark-freq(10);
# keep-hostname(yes);
keep-hostname(no);
log_msg_size(65536);
log_fifo_size(10000);
threaded(yes);
flush_lines(100);
use_dns(no);
stats_freq(60);
mark_freq(36400);
use_fqdn(no);
# chain-hostnames(yes);
chain-hostnames(no);
};
source s_syslog_over_network {
network(
ip(0.0.0.0)
log-fetch-limit(200)
log-iw-size(1000000)
keep-alive(yes)
max_connections(10000)
port(9999)
transport("tcp")
flags(no-parse)
);
};
destination d_syslog_tcp {
network(
"10.12.86.98"
transport("tcp")
port(12229)
);
};
log {
source(s_syslog_over_network);
destination(d_syslog_tcp);
};
Syslog-Relay2
#version:3.5
#include "scl.conf"
# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
# located in /etc/syslog-ng/conf.d/
options {
time-reap(30);
mark-freq(10);
# keep-hostname(yes);
keep-hostname(no);
log_msg_size(65536);
log_fifo_size(10000);
threaded(yes);
flush_lines(100);
use_dns(no);
stats_freq(60);
mark_freq(36400);
use_fqdn(no);
# chain-hostnames(yes);
chain-hostnames(no);
};
source s_syslog_over_network {
network(
ip(0.0.0.0)
log-fetch-limit(200)
log-iw-size(1000000)
keep-alive(yes)
max_connections(10000)
port(12229)
transport("tcp")
flags(no-parse)
);
};
destination d_syslog_tcp {
network(
"10.12.86.76"
transport("tcp")
port(12221)
);
};
log {
source(s_syslog_over_network);
destination(d_syslog_tcp);
};
If you want to use the Client's IP address in SIEM, you have to:
set keep-hostname(no) and use-dns(no) on Syslog-Relay1
This will discard the orginal HOST field of the messages of Client
and use the IP address of Client instead.
set keep-hostname(yes) on Syslog-Relay2
On Syslog-Relay1, the HOST field of the message was overwritten. You
want to keep this and forward to SIEM.
remove flags(no-parse) from s_syslog_over_network on Syslog-Relay2
The IP of Client is stored in the message, so it has to be parsed before forwarding towards SIEM.
m curently working on converting an esxisting asterisk server to opensips, for better perfomance
for the most part it is working, but ive encountered an issue i cant really figure out.
asterisk is doing this :
if ("${fromourmobile}" != "") // Check if mobile Call Waiting is set to "n"
{
set(phonenumber=${FROM});
set(GROUP()=${phonenumber});
noop(Group Count: ${GROUP_COUNT(${phonenumber})});
if (${GROUP_COUNT(${phonenumber})} > 1)
{
Busy();
}
}
and this
if (${MATH(${EPOCH} % 2)} = 0)
{
set(dialhost=193.88.58.86);
Dial(SIP/${numbertodial}#${dialhost},60,wWtT);
&hangupcausecheck(${numbertodial}, ${dialhost});
switch (${DIALSTATUS})
{
case BUSY:
busy;
break;
default:
break;
}
set(dialhost=195.215.252.15);
Dial(SIP/${numbertodial}#${dialhost},60,wWtT);
&hangupcausecheck(${numbertodial}, ${dialhost});
switch (${DIALSTATUS})
{
case BUSY:
busy;
break;
default:
break;
}
i cant seem to find a similar way to do this in opensips, mostly the group_count() and the hangupcausecheck()
furthermore is there any equivalent to the $server variable from asterisk?
First think you need understand is
Asterisk is pbx-like software. Opensips is PROXY software.
There are no GROUPs, playback etc in Opensips. For programming opensips you have be expert in programming and FULLY understand how SIP protocol works.
Channel count can be emulated by using dialogs and caching servers. But it will not work if you config have any single error in BYE/CANCEL handling. There are no way check channel is active in most cases(becuase it not track channel's RTP data).
There is no application like Dial. Instead of that you have rewrite INVITE packet for proper destination/number.
I'm trying to send a subset of messages to Flowdock as output from Logstash. Unfortunately, due to this issue I get essentially nothing back about why my messages aren't making it. Stripping down to a basic example, I see the problem even if I change my output config to the following:
output {
http {
http_method => "post"
url => "https://api.flowdock.com/v1/messages/team_inbox/API_TOKEN"
format => "message"
content_type => "application/json"
message => "{\"source\":\"logstash\",\"from_address\":\"me#example.com\", \"subject\":\"Log Message\", \"content\":\"test\"}"
}
}
I know, though, that output is generally working because if I add the following to output I see log messages written to the file:
file {
path => "/mnt/test.log"
}
I also know that the http message I'm sending to Flowdock should work since
curl -X POST https://api.flowdock.com/v1/messages/team_inbox/API_TOKEN -d "{\"source\":\"logstash\",\"from_address\":\"me#example.com\",\"subject\":\"Log Message\",\"content\":\"test\"}" -H "Content-Type: application/json"
results in a message being posted to the team inbox.
Are there any ways to work around this issue to determine why my output from logstash is failing?
I would start debugging the issue by first sending the requests from Logstash to a service that just outputs the received request, for example RequestBin.
Something like:
output {
http {
http_method => "post"
url => "http://requestb.in/<created_id>"
format => "message"
content_type => "application/json"
message => "{\"source\":\"logstash\",\"from_address\":\"me#example.com\",\"subject\":\"Log Message\", \"content\":\"test\"}"
}
}
After you've made sure that the request Logstash is making is correct, take that request (preferably the exact data) and try to send it to Flowdock using curl or some other means.
At this point you should be able to tell why the request fails in either end and notify the party accordingly (i.e. open a ticket to https://logstash.jira.com/secure/Dashboard.jspa or send an email to support#flowdock.com).
Today my asterisk could not receive calls for a while. when I checked the asterisk logs, the error below was raising during this period.
Purely numeric hostname (1002), and not a peer--rejecting!
After I restarted the asterisk the problem solved. What is the problem?
Very likly that mean your dns server was not working. Use local dns caching server or more then one dns server.
Other posible situation - you calling somethign like SIP/1234, which is not in your sip.conf.
Here is related source part, it have description:
peer = sip_find_peer(peername, NULL, TRUE, FINDPEERS, FALSE, 0);
if (peer) {
int res;
if (newdialog) {
set_socket_transport(&dialog->socket, 0);
}
res = create_addr_from_peer(dialog, peer);
dialog->relatedpeer = sip_ref_peer(peer, "create_addr: setting dialog's relatedpeer pointer");
sip_unref_peer(peer, "create_addr: unref peer from sip_find_peer hashtab lookup");
return res;
} else if (ast_check_digits(peername)) {
/* Although an IPv4 hostname *could* be represented as a 32-bit integer, it is uncommon and
* it makes dialing SIP/${EXTEN} for a peer that isn't defined resolve to an IP that is
* almost certainly not intended. It is much better to just reject purely numeric hostnames */
ast_log(LOG_WARNING, "Purely numeric hostname (%s), and not a peer--rejecting!\n", peername);
return -1;
} else {
What is wrong with the code:
if i use system proxy the error displayed is “connection refused”
and if i use manual proxy (proxy address being same) error displayed is “Host not found”
The proxy server is squid with proxy-address:172.16.28.11 and port:3128
Besides, it also doesn’t work for localhost proxy like the one created using "tor" or dynamic port forwarding!
if(settDialog.ui->no_proxy->isChecked())
{
QNetworkProxyFactory::setUseSystemConfiguration (false);
QNetworkProxy::setApplicationProxy(QNetworkProxy::NoProxy);
}
else if(settDialog.ui->use_s_proxy->isChecked())
{
QNetworkProxyFactory::setUseSystemConfiguration (true);
}
else if(settDialog.ui->man_proxy->isChecked())
{
QNetworkProxyFactory::setUseSystemConfiguration (false);
proxy.setHostName(settDialog.ui->proxy_addr->text());
proxy.setPort(settDialog.ui->port_num->value());
if(settDialog.ui->proxyType->currentIndex()==0)
proxy.setType(QNetworkProxy::HttpProxy);
else if(settDialog.ui->proxyType->currentIndex()==1)
proxy.setType(QNetworkProxy::Socks5Proxy);
else if(settDialog.ui->proxyType->currentIndex()==2)
proxy.setType(QNetworkProxy::FtpCachingProxy);
proxy.setHostName(settDialog.ui->username->text());
proxy.setPassword(settDialog.ui->pwd->text());
QNetworkProxy::setApplicationProxy(proxy);
}
I may be over-simplifying things, but this looks like this is a simple incorrect API call.
proxy.setHostName is where you define the host name of the proxy server, you set the user name through the proxy.setUser API, i.e:
proxy.setUser(settDialog.ui->username->text());