[Help / Documentation] - how to classify incoming syslog messages

[anubisg1]

As per title, how would we classify incoming syslog messages so that they end up in the proper process pipeline?

Let's take a common use case where in the network we have Cisco IOS router and switches , Cisco ACI , Cisco WLC and ISE, then Checkpoint Firewalls , F5 load balancers etc ...

generally those devices would all be sending logs to the syslog server IP port 514. but how would we classify from where each message is coming from in order to send it to the specific processor ?

are we supposed to setup a different input queu for each processor (for example, different port ofn the syslog server so that for example, ACI goes to 192.168.10.10 port 5514 whole Checkpoint on port 5515? )

or is there an ip filter that says, if source IP is X send to ACI processor if Y send to checkpoint ..

or what other options are there?

[brian-grabau]

I can write up a doc with recommendations, but we have ingestion configs that write logs to Kafka topic per log type then we use these configs to process the logs. But it depends on your env. If you have device naming convention you can regex host name, send logs to custom port, use a jdbc connection to a inventory database to do look up use a local csv... rsyslog we tag each log and regex the begging of the log...

[KrishnanandSingh]

Closing this issue assuming OP got the answer.