Syslog only recognizing one source in Kibana

[Judd Brown]

Hello,

I have added several syslog sources via so-allow. I have verified packets from each source via tcpdump.

Only the first device I defined shows up in Kibana even though other source entries are flowing in on 514/UDP.

Any thoughts on why this is happening?

Thanks, Judd

[Francois]

If you look at the data flow in the diagram https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion-docs/master/images/elastic-architecture/data-flow.png, you will notice that syslog passes the data to Logstash. If your syslog data is not defined in Logstash, it will not be indexed in Elastic.

Have you read https://securityonion.readthedocs.io/en/latest/logstash.html#adding-new-logs-or-modifying-existing-parsing

Hopefully this helps,

Francois

[Wes Lambert]

Hi Judd,

How are you searching for the logs?  Via a particular event type or other field, or by using full-text search?

Have you tried querying ES directly, instead of through Kibana to see if you get the same results?  Have you tried checking the Logstash log to see if events are getting hung up in the pipeline, or are unable to be indexed into ES?

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/db553fce-e40a-4d0a-b9d0-cbb2078bc7d5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/