Add IP Address Tag To Socket Input

Hello,

I am attempting to use Telegraf to collect syslog messages from various network devices (firewalls and switches). Unfortunately, several of these device vendors do not send log messages in a RFC compatible format that the “syslog” input can understand.

So I have setup a socket listener that is parsing raw syslog messages using the grok parser. This is working well.

However, I have one device type that is not sending its hostname or ip address as part of the log message. I need either of these so I can tag the log accordingly.

Is there a way to add an ip address tag to the socket input that corresponds to the source IP that sent the log message?

If needed, the relevant config looks roughly like this (note the example below is Cisco Nexus which can optionally include the hostname but the problem is for a different vendor who doesn’t):

[[inputs.socket_listener]]
  ## URL to listen on
  service_address = "udp://:6514"

  ## Data format to consume.
  ## Each data format has its own unique set of configuration options, read
  ## more about them here:
  ## https://github.com/influxdata/telegraf/blob/master/docs/DATA_FORMATS_INPUT.md
  data_format = "grok"

  ## Grok patterns
  grok_patterns = ["%{CISCO_NEXUS}"]
  grok_custom_pattern_files = ["/etc/telegraf/grok_patterns/cisco"]

  ## Route to device_logs output
  [inputs.socket_listener.tags]
    device_log_type = "syslog"

The patterns:

CISCO_TIMESTAMP %{YEAR} %{SYSLOGTIMESTAMP} %{TZ}
CISCO_NEXUS <%{NONNEGINT}>%{HOSTNAME:hostname:tag}: %{CISCO_TIMESTAMP:timestamp:ts-"2006 Jan 2 15:04:05 MST"}: %{GREEDYDATA:message}

Thanks,

Jeremy

Hi,

Do you have a way of identifying the devices based on some value in the data? The listener itself does not capture from where the data was received.

You could have different socket listeners for different devices and set a source tag for each as well.

Unfortunately there’s no reliable identifying information in the log output in this circumstance.

Having different listeners for different devices, each with a fixed tag, should be doable if it needs to come to that.

Thanks for your help.

Jeremy