Develop Reference

Forward firewall logs from kiwi syslog server to elasticsearch?

I have setup the Kiwi Syslog Server where I'm collecting the Sonicwalls Firewall traffic logs, but I want to access that logs through any API or want to send on elasticsearch. Is there any way to setup the logstash and elasticsearch to collect firewall logs from the kiwi syslog server where we are collecting the logs?

In my opinion you have two options
let Logstash read txt file output of the kiwi syslog server
This will be the option if you do other things with the syslogs then sending them to Elasticsearch
Use the Logstash Syslog input and have Logstash listen for syslog events, process them and send them to Elasticsearch [Info on the Logstash Syslog input can be found here]
This implies you get rid of Kiwi

You can't send directly to elasticsearch, but you can configure Kiwi to forward the logs to another place, if you configure logstash to receive this log you can then send it to elasticsearch.
You can use the udp, tcp or syslog input to do this, the main difference is that using the syslog input it will help with the parsing, but the syslog message must follows the format specified in the RFC, I'm not sure if this is the case with Kiwi.
To use the syslog input you just need a configuration like this one.
input {
syslog {
port => "port-to-listen-to"
}
}
output {
elasticsearch {
your-elasticsearch-output
}
}

using filebeat with old version of logstash

I should send my logs to a logstash instance.
Unfortunately it's running a very old instance of logstash (that does not support beats input).
It has a normal tcp input like
tcp {
port => 8888
codec => "json"
}
This is the current configuration of filebeat
output.logastash:
hosts: ["${LOGSTASH_HOST}:8888"]
Is there a way to configure filebeat so its output is accepted by logstash's tcp input?

No, filebeat outputs using the beats protocol and will not work with a tcp input.
You have some options of how to work around this problem.
Upgrade Logstash: before I recommend any hacks or use of deprecated software, the best option is simply upgrading logstash to a modern version, there have been very few breaking changes and a lot of performance upgrades.
Manually add the beats input to Logstash: You can add the beats input to logstash 2.x with /opt/logstash/bin/logstash-plugin install logstash-input-beats
Use logstash-forwarder: Filebeats' predecessor logstash-forwarder is deprecated, but would work with the lumberjack input of older logstashes
Use an intermediary: If we look at the output options supported by filebeat and the inputs supported by Logstash >=1.5 you could use kafka or redis in between filebeat and logstash which they would both be compatible with.

How to disable systemd journald from listening to syslog socket

Overview:
In linux based embedded system with systemd , we have journal which takes care of logging and it is very advanced and handy. It by default listen to syslog socket and kernel message as well. Since we have rsyslog also running on the system syslog messages are getting duplicated both in systemd journal as well as rsyslog file.
Query:
Is there some way we could make the journal not to listen to syslog socket.
Note:
From my understand and observation there is no way to configure this in journald configure file.

If your system takes systemd as init system, then systemd-journald is launched by systemd by default.
Since you said "syslog messages are getting duplicated both in systemd journal as well as rsyslog file", that means journald is forwarding syslog to rsyslog, it's not both daemons are listening to syslog socket. Only journald is listening to that socket. Rsyslog gets the log forwarded to it by journald.

I think you can change the port number on which journal is listening
How to configure Journald
https://serverfault.com/questions/758244/how-to-configure-systemd-journal-remote

Specific logging with rsyslog and ELK

I have an rsyslog server and ELK stack running on the same server.
Our application is forwarding logs to rsyslog and is forwarding it to localhost.
We now want to split up our logging (frontend and backend logging).
Our frontend dev has added a tag [frontend] that will be added to the message.
Is it possible to filter this out in rsyslog and forward this to another logstash while keeping the backend logging?
i have this in my configuration at the moment but it keeps forwarding all messages to that logstash:
*.* ##localhost:5555
:msg, contains, "\[frontend\]" stop
*.* ##localhost:5544
:programname, contains, "backend" ~
We are sending the frontend logs through the backend so program name 'backend' is in every message we receive

did some more research and found a working solution:
*.* {
:msg, contains, "\[frontend\]"
##localhost:5555
}
*.* {:programname, contains, "backend"
##localhost:5544
stop
}

Difference between Rsyslog and Packetbeat

While surfing through internet I came accross rsyslog term which is something like monitoring and logging tool. Fer points that I collected :
1.Multi-threading
2.TCP, SSL, TLS, RELP
3.MySQL, PostgreSQL, Oracle and more
4.Filter any part of syslog message
5.Fully configurable output format
6.Suitable for enterprise-class relay chains
Similarly Packetbeat is used to monitor network packets and uses elasticsearch and Kibana. Packetbeat also monitors TCP, MySql etc.
So what is the prime diff between these two?

Rsyslog is basically for unix and unix like operating system while on the other hand Packetbeat provides support for all the operating systems.
Apart from that Packetbeat can be used to analyze following protocols:
ICMP (v4 and v6)
DNS
HTTP
Mysql
PostgreSQL
Redis
Thrift-RPC
MongoDB
Memcache
While rsyslog provides support for following protocols:
3195
auditd
gssapi
journal
klog
kmsg
mark
ptcp
relp
solaris
tcp
udp
uxsock
zmq3
So the use cases of both rsyslog and packetbeat varies like if you want to monitor your REST API transactions , mongo DB transactions then you can use packetbeat which when integerated with kibana can be used to visualise the traffic on the ports where you API server is running.