The ingest scenario below perplexingly fails for the Filebeat system
module with the auth
fileset with Provided Grok expressions do not match field value
. It doesn't matter what the event is from /var/log/secure
; every single one fails with a Grok failure.
Example Elasticsearch document with error.message
is below.
Ironically, plugging in event.original
into Stack Management > Ingest Pipelines > Edit > Test pipeline, the pipeline succeeds using the exact same filebeat-8.5.3-system-auth-pipeline
that appears to have failed here.
Sample event from the end host:
grep 'session opened' /var/log/secure | tail -n1
Jan 12 21:29:07 REDACTED sudo: pam_unix(sudo-i:session): session opened for user root by ec2-user(uid=0)
Here is this event from tailing Kafka:
{"@timestamp":"2023-01-12T22:07:19.133Z","@metadata":{"beat":"filebeat","type":"_doc","version":"8.5.3","pipeline":"filebeat-8.5.3-system-auth-pipeline"},"fileset":{"name":"auth"},"service":{"type":"system"},"agent":{"ephemeral_id":"5f25a263-e27a-4b41-9233-81dad72cd450","id":"af433b61-1a37-4916-94f7-0e7d36f84d97","name":"ip-REDACTED.REDACTED.compute.internal","type":"filebeat","version":"8.5.3"},"ecs":{"version":"8.0.0"},"host":{"name":"ip-REDACTED.REDACTED.compute.internal"},"log":{"file":{"path":"/var/log/secure"},"offset":34944},"message":"Jan 12 22:07:14 ip-REDACTED sudo: pam_unix(sudo-i:session): session opened for user root by ec2-user(uid=0)","input":{"type":"log"},"event":{"module":"system","dataset":"system.auth","timezone":"+00:00"}}
The pipeline was added to Elasticsearch using filebeat setup --pipelines
for filebeat/elasticsearch 8.5.3.
Logstash config:
input {
kafka {
topics => ["system"]
bootstrap_servers => "my-cluster-kafka-bootstrap:9092"
codec => "json"
auto_offset_reset => "earliest"
group_id => "logstash_system_group"
client_id => "logstash_system_consumer"
consumer_threads => 5
}
}
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => ["https://REDACTED:9200"]
ssl => true
ssl_certificate_verification => true
cacert => "/etc/ssl/elasticsearch-certs/tls.crt"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
ecs_compatibility => "disabled"
action => "create"
user => "${username}"
password => "${password}"
pipeline => "%{[@metadata][pipeline]}"
}
} else {
elasticsearch {
hosts => ["https://REDACTED:9200"]
ssl => true
ssl_certificate_verification => true
cacert => "/etc/ssl/elasticsearch-certs/tls.crt"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
ecs_compatibility => "disabled"
action => "create"
user => "${username}"
password => "${password}"
}
}
}
Failed Elasticsearch document:
{
"_index": ".ds-filebeat-8.5.3-2023.01.03-000001",
"_id": "REDACTED",
"_version": 1,
"_score": 0,
"_source": {
"input": {
"type": "log"
},
"agent": {
"name": "ip-REDACTED.REDACTED.compute.internal",
"id": "af433b61-1a37-4916-94f7-0e7d36f84d97",
"type": "filebeat",
"ephemeral_id": "c514d01a-c282-4c2b-a91c-09c05af19b35",
"version": "8.5.3"
},
"@timestamp": "2023-01-12T18:17:05.111Z",
"ecs": {
"version": "8.0.0"
},
"log": {
"file": {
"path": "/var/log/secure"
},
"offset": 25919
},
"service": {
"type": "system"
},
"@version": "1",
"host": {
"name": "ip-REDACTED.REDACTED.compute.internal"
},
"event": {
"ingested": "2023-01-12T18:17:06.882875402Z",
"original": "{\"@timestamp\":\"2023-01-12T18:17:05.111Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"input\":{\"type\":\"log\"},\"fileset\":{\"name\":\"auth\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"c514d01a-c282-4c2b-a91c-09c05af19b35\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"log\":{\"offset\":25919,\"file\":{\"path\":\"/var/log/secure\"}},\"message\":\"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root\",\"event\":{\"dataset\":\"system.auth\",\"module\":\"system\",\"timezone\":\"+00:00\"},\"service\":{\"type\":\"system\"}}",
"timezone": "+00:00",
"module": "system",
"dataset": "system.auth"
},
"fileset": {
"name": "auth"
},
"message": "Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root",
"error": {
"message": "Provided Grok expressions do not match field value: [{\"@timestamp\":\"2023-01-12T18:17:05.111Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"input\":{\"type\":\"log\"},\"fileset\":{\"name\":\"auth\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"c514d01a-c282-4c2b-a91c-09c05af19b35\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"log\":{\"offset\":25919,\"file\":{\"path\":\"/var/log/secure\"}},\"message\":\"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root\",\"event\":{\"dataset\":\"system.auth\",\"module\":\"system\",\"timezone\":\"+00:00\"},\"service\":{\"type\":\"system\"}}]"
}
},
"fields": {
"event.original": [
"{\"@timestamp\":\"2023-01-12T18:17:05.111Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"input\":{\"type\":\"log\"},\"fileset\":{\"name\":\"auth\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"c514d01a-c282-4c2b-a91c-09c05af19b35\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"log\":{\"offset\":25919,\"file\":{\"path\":\"/var/log/secure\"}},\"message\":\"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root\",\"event\":{\"dataset\":\"system.auth\",\"module\":\"system\",\"timezone\":\"+00:00\"},\"service\":{\"type\":\"system\"}}"
],
"fileset.name": [
"auth"
],
"input.type": [
"log"
],
"log.offset": [
25919
],
"message": [
"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root"
],
"agent.hostname": [
"ip-REDACTED.REDACTED.compute.internal"
],
"service.type": [
"system"
],
"agent.type": [
"filebeat"
],
"event.ingested": [
"2023-01-12T18:17:06.882Z"
],
"@timestamp": [
"2023-01-12T18:17:05.111Z"
],
"event.module": [
"system"
],
"agent.id": [
"af433b61-1a37-4916-94f7-0e7d36f84d97"
],
"ecs.version": [
"8.0.0"
],
"error.message": [
"Provided Grok expressions do not match field value: [{\"@timestamp\":\"2023-01-12T18:17:05.111Z\",\"@metadata\":{\"beat\":\"filebeat\",\"type\":\"_doc\",\"version\":\"8.5.3\",\"pipeline\":\"filebeat-8.5.3-system-auth-pipeline\"},\"input\":{\"type\":\"log\"},\"fileset\":{\"name\":\"auth\"},\"agent\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\",\"type\":\"filebeat\",\"version\":\"8.5.3\",\"ephemeral_id\":\"c514d01a-c282-4c2b-a91c-09c05af19b35\",\"id\":\"af433b61-1a37-4916-94f7-0e7d36f84d97\"},\"ecs\":{\"version\":\"8.0.0\"},\"host\":{\"name\":\"ip-REDACTED.REDACTED.compute.internal\"},\"log\":{\"offset\":25919,\"file\":{\"path\":\"/var/log/secure\"}},\"message\":\"Jan 12 12:06:33 ip-REDACTED su: pam_unix(su-l:session): session closed for user root\",\"event\":{\"dataset\":\"system.auth\",\"module\":\"system\",\"timezone\":\"+00:00\"},\"service\":{\"type\":\"system\"}}]"
],
"log.file.path": [
"/var/log/secure"
],
"@version": [
"1"
],
"agent.ephemeral_id": [
"c514d01a-c282-4c2b-a91c-09c05af19b35"
],
"agent.name": [
"ip-REDACTED.REDACTED.compute.internal"
],
"agent.version": [
"8.5.3"
],
"host.name": [
"ip-REDACTED.REDACTED.compute.internal"
],
"event.dataset": [
"system.auth"
],
"event.timezone": [
"+00:00"
]
}
}