Passive deployment for log ingestion behind a TAP/SPAN/diode


I would like to setup Graylog for passive log ingestion behind a TAP/SPAN/diode, from an existing log stream. Unfortunately I haven’t been able to find any information about passive deployment.

Can Logstash (or something else) be configured to receive a UDP stream with logs in syslog, GELF or some other protocol with UDP support, on a network interface in promiscuous mode? Which option(s) would you suggest?


I haven’t tried this, but under Linux you could look at using iptables redirects to redirect all traffic with a dst port of syslog to an actual syslog server. As TAP/SPAN ports are read-only, it wouldn’t affect the actual traffic (ie it won’t redirect/break anything), but for UDP traffic iptables would be unaware of that and should still work

The only thing that would even come close is Zeek, which can pull syslog messages from network traffic, but It only will pull syslog from UDP, and syslog only. I disable this on our sensors, I’m not even sure how well it works/how forgiving it is of poorly formatted messages. Zeek-Syslog

What is your use case? Are you looking for a fanout distribution for log messages? Maybe there’s another way to solve it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.