This project provides a Docker-based setup for collecting, parsing, and visualizing F5 CGNAT and Juniper device syslogs using Elasticsearch, Filebeat, and Grafana. The setup allows for efficient monitoring and analysis of network logs from both F5 and Juniper devices.
- Collects syslog data from multiple network devices:
- F5 CGNAT logs (UDP port 1514)
- Juniper device logs (UDP port 1515)
- Stores and indexes logs in Elasticsearch with device-specific indices
- Provides visualization capabilities through Grafana
- Supports UDP syslog input
- Configurable log parsing and indexing
- Docker and Docker Compose
- Minimum 4GB RAM for Elasticsearch
- F5 device configured to send syslogs
.
├── docker-compose.yml # Docker services configuration
├── filebeat.yml # Filebeat configuration for F5 logs
├── filebeat.last.yml # Extended Filebeat configuration with multiple inputs
-
Clone this repository:
git clone [your-repository-url] cd f5-juniper-syslog-elk -
Start the services:
docker-compose up -d
-
Configure your F5 device to send syslogs to the Filebeat instance:
- Syslog destination:
[your-server-ip]:1514 - Protocol: UDP
- Syslog destination:
The Filebeat configuration (filebeat.yml) is set up to:
- Listen for syslog data on UDP port 1514
- Forward logs to Elasticsearch
- Create daily indices with pattern 'f5-logs-YYYY.MM.DD'
Elasticsearch is configured as a single-node cluster with:
- Security features disabled for development
- Exposed on ports 9200 (HTTP) and 9300 (transport)
- Persistent volume for data storage
- Access Grafana at
http://localhost:3000 - Add Elasticsearch as a data source:
- URL:
http://elasticsearch:9200 - Index pattern:
f5-logs-*
- URL:
- Logs are automatically rotated based on size (10MB) and kept for 7 days
- Elasticsearch data is persisted through Docker volumes
- Services are configured to restart automatically unless stopped
Contributions are welcome! Please feel free to submit a Pull Request.
This project is licensed under the MIT License - see the LICENSE file for details.