Hi Team,
I am new to ELK , just installed ELK and filebeat 2 days ago.
I am able to see logs from 2 different filebeat clients logs in ELK machine, when working in ubuntu for syslog(default logs).
But, When working with custom index and type for custom filter/match specific line, it is not working. The same filter, index are working fine when using windows setup (but without filebeat) in single machine setup.
-
I made a sample log file (tsyslog in /var/log/).
[DEBUG]:[test385231]:[admin]:[Jan 17 04:56:23]:[h5vnkdksvj6dmij14]:[INIT]:[Event.Pre_deploymentevent_check_started]:[com.aricent.openstackdeploy.VMDeployLauncher{1}:68] -
Configured filebeat.yml
filebeat:
List of prospectors to fetch data.
prospectors:
-
paths:
- /var/log/tsyslog
document_type: type
registry_file: /var/lib/filebeat/registry
---- rest settings are similar -----
Filter used:-
filter {
if [type] == "tsyslog" {
grok
{
match => { "message" => "[%{LOGLEVEL:Severity}]:[%{SYSLOGHOST:Host_Name}]:[%{DATA:User_Name}]:[%{SYSLOGTIMESTAMP:timestamp}]:[%{DATA:Session_ID}]:[%{DATA:Function_Name}]:[%{DATA:Event}]:[%{GREEDYDATA:message}]" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
add_field => [ "received_user", "%{User_Name}" ]
add_field => [ "received_session", "%{Session_ID}" ]
add_field => [ "received_Function_Name", "%{Function_Name}" ]
add_field => [ "received_event", "%{Event}" ]
}
syslog_pri { }
date
{
match => [ "syslog_timestamp", "YYYY MMM dd HH:mm:ss", "YYYY MMM dd HH:mm:ss" ]
}
}
}
~
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "test3"
document_type => "test3type"
}
}
Thanks in advance
Ashu