Hi all,
This is my config in /etc/logstash/conf.d/01-logstash.conf
from ELK Server.
input {
beats {
port => 5044
}
}filter {
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?:? %{SSH_INVALID_USER:message}"
]
}
patterns_dir => "/etc/logstash/patterns/sshd"
named_captures_only => true
remove_tag => ["_grokparsefailure"]
break_on_match => true
add_tag => [ "SSH", "SSH_INVALID_USER" ]
add_field => { "event_type" => "SSH_INVALID_USER" }
overwrite => "message"
}
}Grok Filter for SSH Failed Password
filter{
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?:? %{SSH_FAILED_PASSWORD:message}"
]
}
patterns_dir => "/etc/logstash/patterns/sshd"
named_captures_only => true
remove_tag => ["_grokparsefailure"]
break_on_match => true
add_tag => [ "SSH", "SSH_FAILED_PASSWORD" ]
add_field => { "event_type" => "SSH_FAILED_PASSWORD" }
overwrite => "message"
}
}filter {
Grok Filter for SSH Password Accepted
grok { match => { "message" => [ "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?:? %{SSH_ACCEPTED_PASSWORD}" ] } patterns_dir => "/etc/logstash/patterns/sshd" named_captures_only => true remove_tag => ["_grokparsefailure"] break_on_match => true add_tag => [ "SSH", "SSH_ACCEPTED_PASSWORD" ] add_field => { "event_type" => "SSH_ACCEPTED_PASSWORD" } }
}
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
When I use netstat, port 5044 isnt Listen although I've opend in both firewalld and iptables.
So I can't connect from client(filebeat) to Logstash server
filebeat test output logstash: 192.168.0.1:5044... connection... parse host... OK dns lookup... OK addresses: 192.168.0.1 dial up... ERROR dial tcp 192.168.0.1:5044: connect: connection refused
Please help me
Thanks