I am new to ELK stack and sending the application log file to logstash server via tcp input method using the below command
cat test.log | nc server port
Please let me know how can i retrieve the ip address of the client machine as field in logstash configuration file.
Did you try adding the host IP when sending the message?
Related
I have a Linux Server running Redhat Rhel 7 and a Device called "Compoint Lan System (Colas)" (german manufacturer). The Colas has its own firmware so I don't know if it's based on linux. The Colas is set as a TCP-Client. It receives messages from its serial 1 port. I get the messages coming from the serial port 1 of the colas on my server with rsyslog.
Now what I want is to send a string (2 letters) from my server (tcp-server) to my colas's serial port 1 (tcp-client) to get information of the device attached to serial port 1.
Is there a command in linux to accomplish that? Something like "command 'string message' destination port"? I am sorry if it isn't written well.
Install netcat
yum install nc
Make it to listen to a particular port number
nc –l portnumber &
Lets validate it using netstat from a different console:
netstat -anlp |grep yourportnumber
PS: Change the installation command based on your linux flavor.
Ranadip Dutta's answer meets your requirement. The listen there doesn't mean listen for incoming data, it rather means listen for connection request from client. Of course you can't use rsyslog and nc as the server at the same time, but with nc you get the messages coming from the Colas displayed as well as the characters you enter sent.
I have a firewall that sends the data to our remote Linux server on the specific port. I would like to capture that data and parse it to store in DB.
So far I have tried tcpdump, nc and few others without much success. Any help is appreciated.
tcpdump -ni device port 1234 -s0 -w capture.pcap
ÿÿEH¶#0c:EJ"#Ϲ r¢"ó<30>device="SFW" date=2018-06-15 time=04:10:49
timezone="EDT" device_name="XG210" device_id=C2205ACMBG9B65A
log_id=010101600001 log_type="Firewall" log_component="Firewall Rule"
log_subtype="Allowed" status="Allow" priority=Information duration=0
fw_rule_id=2 policy_type=1 user_name="" user_gp="" iap=4
ips_policy_id=0 appfilter_policy_id=0 application=""
application_risk=0 application_technology="" application_category=""
in_interface="Port1" out_interface="" src_mac=00: 0:00: 0:00: 0
src_ip=111.11.1.111 src_country_code=R1 dst_ip=111.111.11.11
dst_country_code=USA protocol="TCP" src_port=61257 dst_port=80
sent_pkts=0 recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip=
tran_src_port=0 tran_dst_ip=111.16.1.1 tran_dst_port=3128
srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN"
dir_disp="" connevent="Start" connid="2721376288" vconnid=""
hb_health="No Heartbeat" message="" appresolvedby="Signature"
We have started using https://www.graylog.org. It was easy to configure on DigitalOcean hosting.
Steps:
Configure your firewall etc to send the data to your graylog on certain port
Configure graylog to listen to that particular port
Then you will see the data in graylog
Hope this helps.
I am unable to post messages to my graylog server. I have turned on my debug in logstash, I can see messages going out but I never recieve them in my graylog server. I have tested connectivity between the two servers using nc and it works.
echo -e '{"version": "1.1","host":"example.org","short_message":"Short message","full_message":"Backtrace here\n\nmore stuff","level":1,"_user_id":9001,"_some_info":"foo","_some_env_var":"bar"}\0' | nc -w 1 111.222.333.444 12201
As far as I know, Logstash does not support GELF with TCP. Try it with a UDP/GELF input, it should work.
Logstash doesn't start. It says following:
:message=>"Could not start TCP server: Address in use", :host=>"0.0.0.0", :port=>1514, :level=>:error}The error reported is: \n Address already in use - bind - Address already in use"}
In logstash configuration file, port 1514 is not specified. And when logstash is stopped no service is listening on this port. When I start logstash and although I don't specify this port in configuration file, it starts listening on this port. If I put this port in logstash configuration file and start logstash it gives me the error that the address is in use. I need to use tcp/1514 port, because all my esxi hypervisors are configured to send logs to this port.
Why when I start logstash it starts listening on this port despite I dont have this port in the configuration file?
What can I do to successfully start logstash service using this port in configuration file?
The problem is that there were two configuration files used by logstash.
root#srv-syslog:~# locate central.conf
/etc/logstash/conf.d/central.conf
/etc/logstash/conf.d/central.conf.save
I deleted the second one and now everything is ok.
Server A with memcached, Server B needs to use memcached. If I leave memcached open to all ips (default), Server B can:
telnet server.a.etc 11211
and get in. If I ping server B, I get an ip, 153.353.234.23 (example), and I put that in my memcached options
OPTIONS="-l 153.353.234.23"
restart and now server b can't connect over telnet any longer. I assume this is because perhaps it is using a different ip address for this connection? Some other error? Either way, I'd like to be able to see the ip of server B when it connects.
I enabled memcached logging
-vvv >var/log/memcached.log 2>&1
and I see logs getting generated, but not the ip addresses of connecting machines.
with memcached -l you are instructing the memcached server to bind on a specific IP address of the server. This is useful if you want memcached to accept data on a specific IP or network interface on your server node.
You can leave the default to make memcached bind on any IP address of the server (0.0.0.0 on IPv4).
I don't think memcached has a command switch to login the source IP.
You can use the command
netstat -natp | grep 11211 | grep ESTABLISHED
on a linux system to get the established connections to memcached and the IPs of the clients.
You can:
telnet telnetmyip.com
also
ssh telnetmyip.com
also
curl telnetmyip.com