Posted on April 27, 2021 5:34 pm
 |  Asked by Ryan Downey
I’m currently ingesting syslog data from multiple different switch/router vendors, ie Arista, Cisco, Aruba, etc. and I’m wondering if theres an efficient way to sort the Arista switches in Logstash via a unique identifier within the syslogs.  As of right now were filtering by IP which works well but this is a really poor way to filter things once you start scaling up.  With thousands of devices this is just not a good long term solution for us.  I’ve looked through some of the documentation but there doesn’t seem to be a unique identifier of some nature that in essence says, “these are Arista switches”, when building my filters in Logstash outside of the IP.  Any thoughts on this would be greatly appreciated.  Thank you for your time.

Posted by Nitin Nitin
Answered on April 29, 2021 12:36 am

syslog has several messages about processes starting that are Arista specific.. maybe regex for them?
or at boot up script logger "Arista Switch" .. and then grep that in syslog?

