Vector configuration

Some switches can send syslog messages with a wrong structure. If we use syslog in input - Vector will drop these messages. To fix this issue we can use socket input and remap transform.

If meessage has a wrong structure - we write a message without parsing.

data_dir: "/var/lib/vector"

api:
  enabled: true
  address: "127.0.0.1:8686"

sources:
  source_syslog_udp:
    type: socket
    mode: udp
    address: '192.0.2.2:514'

transforms:
  t_parse_syslog:
    type: "remap"
    inputs:
      - source_syslog_udp
    source: |
      ."@timestamp" = .timestamp

      parsed, err = parse_syslog(.message)
      if err == null {
        . |= parsed
      }

      del(.timestamp)
      del(.source_type)      

sinks:
  es_devices:
    type: elasticsearch
    api_version: v7
    inputs:
      - t_parse_syslog
    endpoints:
      - https://hwlogs-ingress.logging.svc.cluster.local
    auth:
      strategy: basic
      user: "my-secret-user"
      password: "my-very-secret-password"
    bulk:
      index: "devices-%Y.%m.%d"
    tls:
      verify_certificate: false
      verify_hostname: false
    buffer:
      type: "disk"
      max_size: 10737418240

Example configuration for Juniper

vitalvas@mx304-city17# show system syslog
host 192.0.2.2 {
    authorization any;
    daemon any;
    security any;
    kernel any;
    user any;
    firewall any;
    interactive-commands any;
    allow-duplicates;
    port 514;
    source-address 192.0.2.39;
    explicit-priority;
}