Filebeat > elasticsearch to filebeat > logstash > elasticsearch (syslog)

Rgn · May 22, 2017, 1:16pm

Hi there.

i'm was using syslog module from filebeat to send data to elasticseach.
In my kibana a can saw my data with all the additionnal field (ex: system.syslog.hostname, system.syslog.message system.syslog.pid, etc ...)

Now i have to check an other file with the same filebeat.
I use logstash for parse that file and redirect syslog file to filebeat index but i lost all the syslog field.
How can i keep the syslog field from syslog module of filebeat inside my logstash/elasticsearch ?

Here my pipeline :

input {
beats {
port => "5043"
}
}

filter {
if [type] == "cpu_log" {
grok {
match => {
"message" => "%{SYSLOGBASE} %{NUMBER:status:int}"
}
}
}
}

output {
if [type] == "cpu_log" {
elasticsearch {
hosts => ["my_elk:9200"]
}
} else {
elasticsearch {
hosts => ["my_elk:9200"]
index => "filebeat-%{+YYYY.MM.dd}"
}
}
}

Thanks by advance

guyboertje · May 30, 2017, 1:30pm

Did you find a solution?

Rgn · May 30, 2017, 3:13pm

I think i find a beginning of solution.
i find in the doc the attribute pipeline in elastisearch output (logstash conf) . I'm trying use it for apply it to my different log. But i got error at that step.

WARN logstash.outputs.elasticsearch - Failed action. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-2017.05.30", :_type=>"log", :_routing=>nil, :pipeline=>"filebeat-5.4.0-system-auth-pipeline"}, ******************, :response=>{"index"=>{"_index"=>"filebeat-2017.05.30", "_type"=>"log", "_id"=>nil, "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"pipeline with id [filebeat-5.4.0-system-auth-pipeline] does not exist"}}}}

it's said id pipeline "filebeat-5.4.0-system-auth-pipeline" does exist. But in my kibana dev tool the requet : GET _ingest/pipeline/filebeat-5.4.0-system-auth-pipeline send me back the pipeline.

I'm little lost....
here my news logstash pipeline

input {
beats {
port => "5043"
}
}

filter {
if [type] == "cpu_log" {
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP} %{HOSTNAME} cpu_status: %{NUMBER:stats_cpu:int} memory_status: %{NUMBER:stats_mem:int} disk_status: %{NUMBER:stats_disk:int} ssh_status: %{NUMBER:stats_ssh:int} io_status: %{NUMBER:stats_io:int}"
}
}
}
}

output {
if [type] == "cpu_log" {
elasticsearch {
hosts => ["94.23.19.32:9200"]
}
} else if [source] == "/var/log/syslog" {
elasticsearch {
hosts => ["my_elk:9200"]
index => "filebeat-%{+YYYY.MM.dd}"
pipeline => "filebeat-5.4.0-system-syslog-pipeline"
}
} else if [source] == "/var/log/auth.log" {
elasticsearch {
hosts => ["my_elk:9200"]
index => "filebeat-%{+YYYY.MM.dd}"
pipeline => "filebeat-5.4.0-system-auth-pipeline"
}
}

Rgn · May 31, 2017, 1:59pm

i finaly reproduce the elasticsearch ingest node for syslog inside a grok filter in logstash, and it's works.

if someone is interesting by it, here my new logstash pipeline:

input {
      beats {
            port => "5043"
      }
}

filter {
       if [type] == "cpu_log" {
          grok {
               match => {
                     "message" => "%{SYSLOGTIMESTAMP} %{HOSTNAME} cpu_status: %{NUMBER:stats_cpu:int} memory_status: %{NUMBER:stats_mem:int} disk_status: %{NUMBER:stats_disk:int} ssh_status: %{NUMBER:stats_ssh:int} io_status: %{NUMBER:stats_io:int}"
               }
          }
        } else if [source] == "/var/log/syslog" {
                grok {
                    match => {
                          "message" => ["%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:system.syslog.hostname} %{DATA:system.syslog.program}(?:\[%{POSINT:system.syslog.pid}\])?: %{GREEDYMULTILINE:system.syslog.message}",
                                       "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}"]
                    }
                    pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
                    remove_field => ["message"]
                }
        } else if [source] == "/var/log/auth.log" {
               grok {
                    match => {
                        "message" => ["%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ssh.ip} port %{NUMBER:system.auth.ssh.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?",
                                       "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: %{DATA:system.auth.ssh.event} user %{DATA:system.auth.user} from %{IPORHOST:system.auth.ssh.ip}",
                                       "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{POSINT:system.auth.pid}\])?: Did not receive identification string from %{IPORHOST:system.auth.ssh.dropped_ip}",
                                       "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sudo(?:\[%{POSINT:system.auth.pid}\])?: \s*%{DATA:system.auth.user} :( %{DATA:system.auth.sudo.error} ;)? TTY=%{DATA:system.auth.sudo.tty} ; PWD=%{DATA:system.auth.sudo.pwd} ; USER=%{DATA:system.auth.sudo.user} ; COMMAND=%{GREEDYDATA:system.auth.sudo.command}",
                                       "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} groupadd(?:\[%{POSINT:system.auth.pid}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
                                       "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} useradd(?:\[%{POSINT:system.auth.pid}\])?: new user: name=%{DATA:system.auth.useradd.name}, UID=%{NUMBER:system.auth.useradd.uid}, GID=%{NUMBER:system.auth.useradd.gid}, home=%{DATA:system.auth.useradd.home}, shell=%{DATA:system.auth.useradd.shell}$",
                                       "%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} %{DATA:system.auth.program}(?:\[%{POSINT:system.auth.pid}\])?: %{GREEDYMULTILINE:system.auth.message}"]
                    }
                    pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
                    remove_field => ["message"]
               }
               geoip {
                    source => "system.auth.ssh.ip"
                    target => "system.auth.ssh.geoip"
               }
        }
}

output {
        if [type] == "cpu_log" {
               elasticsearch {
                        hosts => ["my_elk:9200"]
               }
        } else {
               elasticsearch {
                        hosts => ["my_elk:9200"]
                        index => "filebeat-%{+YYYY.MM.dd}"
                }
        }
}

system · June 28, 2017, 1:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat logs to logstash to kibana Beats filebeat	10	3087	February 16, 2018
Logstash active exited using filebeat input Logstash	2	1872	July 6, 2017
Syslog and filebeat assistance request Beats filebeat	25	3460	October 17, 2019
Syslogging Struggle - newbie alert Elasticsearch	5	587	December 21, 2021
What is the best way to extract Syslog Fields with Beats Inputs Beats	4	7942	July 5, 2017

Filebeat > elasticsearch to filebeat > logstash > elasticsearch (syslog)

Related topics