Release Automation

  • 1.  Send log to log server

    Posted Nov 17, 2016 08:50 AM

    Hello

    Is there any action pack for 6.2 that takes log information e.g. from a process and sends it to an elastic search logging server?

    I found a simple logging action that puts log information into a log file on the NAC (nice, but how do I get the file from there?)

     

    Cheers

     

    Ralph Staub



  • 2.  Re: Send log to log server

    Broadcom Employee
    Posted Nov 17, 2016 09:11 AM

    Hi Ralph,

     

    I am not familiar with an action/pack that specifically sends a message to an Elasticsearch server. Most of my experience with Elasticsearch is based on Logstash and the ELK Stack. Logstash can transfer messages to the Elasticsearch but *I think* it is based on specific log files (not messages within the files). If that is not what you are looking for then I do know that Elasticsearch has a REST API. You might be able to find a rest api call for sending messages to it. The Elasticsearch 5.0 rest documentation can be found here: Document APIs | Elasticsearch Reference [5.0] | Elastic 

     

    Cheers,

    Gregg



  • 3.  Re: Send log to log server

    Posted Nov 23, 2016 03:35 AM

    Hi Gregg

    Thank you for your answer, that's interesting. Indirectly you say that there is no such action pack available (yet).

    I started an idea:

     

    Enable RA to send log messages to central logging infrastructure 

     

    That there shall be such implementation that allows to produce adequate logging information that is stored centrally and can be searched easily. You may vote for it (if not already happened)

     

    Cheers

    Ralph



  • 4.  Re: Send log to log server

    Posted Nov 17, 2016 10:49 AM

    Hi Ralph,

     

    I am not sure I understand the question 100%, to clarify a bit, are you wanting to parse log information related to a specific process from one of the logs on the management server and/or agent and relay this to elasticsearch directly?

     

    Typically, as Gregg mentioned this would require writing a simple grok filter to prune what you want from the log(s) in question utilizing logstash and one of several input methods available(eg filebeat, file, etc), then output to elasticsearch.

     

    Unfortunately, I am unaware of a method utilizing elasticsearch alone with any available action pack to accomplish this scenario.   I have heard of using alternatives to logstash, such as rsyslog for example to accomplish this, but I cannot think of a way(or am just not aware of a way) utilizing elasticsearch or it's API without a 3rd party, or 'middleman' of sorts to convert and/or at minimum encapsulate the entire log message in json(elasticsearch native format for input). 

     

    If I am misunderstanding your question please let me know, nonetheless I do believe this is an excellent idea for an action pack to be created for the elk stack, and would definitely encourage everyone to vote this up.

     

    Jeremy



  • 5.  Re: Send log to log server
    Best Answer

    Posted Nov 18, 2016 02:02 AM

    Hi Jeremy

    Thank you for the hint. I just posted an idea about it:

     

    Enable RA to send log messages to central logging infrastructure 

     

    Please vote for it.



  • 6.  Re: Send log to log server

    Broadcom Employee
    Posted Nov 23, 2016 03:24 AM

    Hi Ralph

    Did the answer from Gregg answered your question? If it did please mark it as the right answer.
    When your question is not answered or you still have additional questions please let us know.

    With Kind Regards



  • 7.  Re: Send log to log server

    Posted Nov 23, 2016 03:37 AM

    Hi Dirk

    The answer lead into the right direction. You may vote for the resulting idea

    Enable RA to send log messages to central logging infrastructure 

     

    Ralph