Hi again!
Here is the output to file from my filebeat. I don't know if it is transfering it in that format (JSON) to the logstash server though.
{
"@timestamp": "2023-09-14T21:14:08.829Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.6.2",
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"raw_index": "filebeat-fsci-8.6.2-sys-linux"
},
"agent": {
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"name": "syslogf.sti.usherbrooke.ca",
"type": "filebeat",
"version": "8.6.2",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce"
},
"ecs": {
"version": "8.0.0"
},
"log": {
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
},
"offset": 11246
},
"message": "Sep 14 17:14:05 dinf-miro sshd[120773]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"tags": [
"audit",
"syslog",
"FSCI"
],
"input": {
"type": "filestream"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca"
}
}
Then I tried to run this into the ingest simulator.
The input:
POST _ingest/pipeline/filebeat-8.6.2-system-syslog-pipeline/_simulate?verbose=true
{
"docs": [
{
"_source": {
"@timestamp": "2023-09-14T21:14:08.829Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "8.6.2",
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"raw_index": "filebeat-fsci-8.6.2-sys-linux"
},
"agent": {
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"name": "syslogf.sti.usherbrooke.ca",
"type": "filebeat",
"version": "8.6.2",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce"
},
"ecs": {
"version": "8.0.0"
},
"log": {
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
},
"offset": 11246
},
"message": "Sep 14 17:14:05 dinf-miro sshd[120773]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"tags": [
"audit",
"syslog",
"FSCI"
],
"input": {
"type": "filestream"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca"
}
}
}
]
}
The output:
{
"docs": [
{
"processor_results": [
{
"processor_type": "set",
"status": "success",
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"input": {
"type": "filestream"
},
"agent": {
"name": "syslogf.sti.usherbrooke.ca",
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"type": "filebeat",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce",
"version": "8.6.2"
},
"@timestamp": "2023-09-14T21:14:08.829Z",
"ecs": {
"version": "8.0.0"
},
"log": {
"offset": 11246,
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
}
},
"@metadata": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"beat": "filebeat",
"raw_index": "filebeat-fsci-8.6.2-sys-linux",
"type": "_doc",
"version": "8.6.2"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca"
},
"message": "Sep 14 17:14:05 dinf-miro sshd[120773]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"event": {
"ingested": "2023-09-14T21:19:14.220979552Z"
},
"tags": [
"audit",
"syslog",
"FSCI"
]
},
"_ingest": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"timestamp": "2023-09-14T21:19:14.220979552Z"
}
}
},
{
"processor_type": "grok",
"status": "success",
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"agent": {
"name": "syslogf.sti.usherbrooke.ca",
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"type": "filebeat",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce",
"version": "8.6.2"
},
"process": {
"name": "sshd",
"pid": 120773
},
"log": {
"offset": 11246,
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
}
},
"@metadata": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"beat": "filebeat",
"raw_index": "filebeat-fsci-8.6.2-sys-linux",
"type": "_doc",
"version": "8.6.2"
},
"message": "Sep 14 17:14:05 dinf-miro sshd[120773]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"tags": [
"audit",
"syslog",
"FSCI"
],
"input": {
"type": "filestream"
},
"@timestamp": "2023-09-14T21:14:08.829Z",
"system": {
"syslog": {
"message": "pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"timestamp": "Sep 14 17:14:05"
}
},
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca",
"hostname": "dinf-miro"
},
"event": {
"ingested": "2023-09-14T21:19:14.220979552Z"
}
},
"_ingest": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"timestamp": "2023-09-14T21:19:14.220979552Z"
}
}
},
{
"processor_type": "remove",
"status": "success",
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"input": {
"type": "filestream"
},
"agent": {
"name": "syslogf.sti.usherbrooke.ca",
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"type": "filebeat",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce",
"version": "8.6.2"
},
"process": {
"name": "sshd",
"pid": 120773
},
"@timestamp": "2023-09-14T21:14:08.829Z",
"system": {
"syslog": {
"message": "pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"timestamp": "Sep 14 17:14:05"
}
},
"ecs": {
"version": "8.0.0"
},
"log": {
"offset": 11246,
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
}
},
"@metadata": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"beat": "filebeat",
"raw_index": "filebeat-fsci-8.6.2-sys-linux",
"type": "_doc",
"version": "8.6.2"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca",
"hostname": "dinf-miro"
},
"event": {
"ingested": "2023-09-14T21:19:14.220979552Z"
},
"tags": [
"audit",
"syslog",
"FSCI"
]
},
"_ingest": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"timestamp": "2023-09-14T21:19:14.220979552Z"
}
}
},
{
"processor_type": "rename",
"status": "success",
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"agent": {
"name": "syslogf.sti.usherbrooke.ca",
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"type": "filebeat",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce",
"version": "8.6.2"
},
"process": {
"name": "sshd",
"pid": 120773
},
"log": {
"offset": 11246,
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
}
},
"@metadata": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"beat": "filebeat",
"raw_index": "filebeat-fsci-8.6.2-sys-linux",
"type": "_doc",
"version": "8.6.2"
},
"message": "pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"tags": [
"audit",
"syslog",
"FSCI"
],
"input": {
"type": "filestream"
},
"@timestamp": "2023-09-14T21:14:08.829Z",
"system": {
"syslog": {
"timestamp": "Sep 14 17:14:05"
}
},
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca",
"hostname": "dinf-miro"
},
"event": {
"ingested": "2023-09-14T21:19:14.220979552Z"
}
},
"_ingest": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"timestamp": "2023-09-14T21:19:14.220979552Z"
}
}
},
{
"processor_type": "date",
"status": "success",
"if": {
"condition": "ctx.event.timezone == null",
"result": true
},
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"agent": {
"name": "syslogf.sti.usherbrooke.ca",
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"type": "filebeat",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce",
"version": "8.6.2"
},
"process": {
"name": "sshd",
"pid": 120773
},
"log": {
"offset": 11246,
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
}
},
"@metadata": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"beat": "filebeat",
"raw_index": "filebeat-fsci-8.6.2-sys-linux",
"type": "_doc",
"version": "8.6.2"
},
"message": "pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"tags": [
"audit",
"syslog",
"FSCI"
],
"input": {
"type": "filestream"
},
"@timestamp": "2023-09-14T17:14:05.000Z",
"system": {
"syslog": {
"timestamp": "Sep 14 17:14:05"
}
},
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca",
"hostname": "dinf-miro"
},
"event": {
"ingested": "2023-09-14T21:19:14.220979552Z"
}
},
"_ingest": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"timestamp": "2023-09-14T21:19:14.220979552Z"
}
}
},
{
"processor_type": "date",
"status": "skipped",
"if": {
"condition": "ctx.event.timezone != null",
"result": false
}
},
{
"processor_type": "remove",
"status": "success",
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"agent": {
"name": "syslogf.sti.usherbrooke.ca",
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"type": "filebeat",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce",
"version": "8.6.2"
},
"process": {
"name": "sshd",
"pid": 120773
},
"log": {
"offset": 11246,
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
}
},
"@metadata": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"beat": "filebeat",
"raw_index": "filebeat-fsci-8.6.2-sys-linux",
"type": "_doc",
"version": "8.6.2"
},
"message": "pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"tags": [
"audit",
"syslog",
"FSCI"
],
"input": {
"type": "filestream"
},
"@timestamp": "2023-09-14T17:14:05.000Z",
"system": {
"syslog": {}
},
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca",
"hostname": "dinf-miro"
},
"event": {
"ingested": "2023-09-14T21:19:14.220979552Z"
}
},
"_ingest": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"timestamp": "2023-09-14T21:19:14.220979552Z"
}
}
},
{
"processor_type": "set",
"status": "success",
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"agent": {
"name": "syslogf.sti.usherbrooke.ca",
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"type": "filebeat",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce",
"version": "8.6.2"
},
"process": {
"name": "sshd",
"pid": 120773
},
"log": {
"offset": 11246,
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
}
},
"@metadata": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"beat": "filebeat",
"raw_index": "filebeat-fsci-8.6.2-sys-linux",
"type": "_doc",
"version": "8.6.2"
},
"message": "pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"tags": [
"audit",
"syslog",
"FSCI"
],
"input": {
"type": "filestream"
},
"@timestamp": "2023-09-14T17:14:05.000Z",
"system": {
"syslog": {}
},
"ecs": {
"version": "8.0.0"
},
"host": {
"name": "syslogf.sti.usherbrooke.ca",
"hostname": "dinf-miro"
},
"event": {
"ingested": "2023-09-14T21:19:14.220979552Z",
"kind": "event"
}
},
"_ingest": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"timestamp": "2023-09-14T21:19:14.220979552Z"
}
}
},
{
"processor_type": "append",
"status": "success",
"if": {
"condition": "ctx.host?.hostname != null && ctx.host?.hostname != ''",
"result": true
},
"doc": {
"_index": "_index",
"_id": "_id",
"_version": "-3",
"_source": {
"agent": {
"name": "syslogf.sti.usherbrooke.ca",
"id": "7f080758-7e4f-4d73-9109-2a05b9e1a0b7",
"type": "filebeat",
"ephemeral_id": "e7efe019-569a-4ea6-8748-22545cb6a0ce",
"version": "8.6.2"
},
"process": {
"name": "sshd",
"pid": 120773
},
"log": {
"offset": 11246,
"file": {
"path": "/var/log/facultes/FSCI/fsci-secure.log"
}
},
"@metadata": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"beat": "filebeat",
"raw_index": "filebeat-fsci-8.6.2-sys-linux",
"type": "_doc",
"version": "8.6.2"
},
"message": "pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.32.104.212 user=quiy2001",
"tags": [
"audit",
"syslog",
"FSCI"
],
"input": {
"type": "filestream"
},
"@timestamp": "2023-09-14T17:14:05.000Z",
"system": {
"syslog": {}
},
"ecs": {
"version": "8.0.0"
},
"related": {
"hosts": [
"dinf-miro"
]
},
"host": {
"name": "syslogf.sti.usherbrooke.ca",
"hostname": "dinf-miro"
},
"event": {
"ingested": "2023-09-14T21:19:14.220979552Z",
"kind": "event"
}
},
"_ingest": {
"pipeline": "filebeat-8.6.2-system-syslog-pipeline",
"timestamp": "2023-09-14T21:19:14.220979552Z"
}
}
}
]
}
]
}
Does this input make momre sense to you? But in the output, there are still some missing fields. I'm totally confused.
Yanick