HI,
Just enabled the filebeat module - syslog on my Ubuntu 16.0.4 box. I'm getting syslog output into Elastic but not the auth.log files.
I enabled debug from in the filebeat.yml file and can see the following so I'm assuming that logs are getting fed up to Elastic....
Module syslog is enabled.
I even tried hard setting the location of my auth.log file manually (/var/log/auth.log) but no go.
Output of my debug... (/var/log/filebeat/filebreat):
2018-03-24T18:06:40.301+1100 DEBUG [harvester] log/log.go:85 End of file reached: /var/log/auth.log; Backoff now.
2018-03-24T18:06:40.302+1100 DEBUG [publish] pipeline/processor.go:275 Publish event: {
"@timestamp": "2018-03-24T07:06:40.301Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.2.3",
"pipeline": "filebeat-6.2.3-system-auth-pipeline"
},
"message": "Mar 24 18:06:36 els01 sshd[2332]: Accepted password for root from 192.168.10.8 port 59525 ssh2",
"source": "/var/log/auth.log",
"offset": 290639,
"fileset": {
"module": "system",
"name": "auth"
},
"prospector": {
"type": "log"
},
"beat": {
"name": "els01",
"hostname": "els01",
"version": "6.2.3"
}
}
2018-03-24T18:06:40.302+1100 DEBUG [publish] pipeline/processor.go:275 Publish event: {
"@timestamp": "2018-03-24T07:06:40.301Z",
"@metadata": {
"beat": "filebeat",
"type": "doc",
"version": "6.2.3",
"pipeline": "filebeat-6.2.3-system-auth-pipeline"
},
"offset": 290737,
"message": "Mar 24 18:06:36 els01 sshd[2332]: pam_unix(sshd:session): session opened for user root by (uid=0)",
"source": "/var/log/auth.log",
"fileset": {
"module": "system",
"name": "auth"
},
"prospector": {
"type": "log"
},
"beat": {
"name": "els01",
"hostname": "els01",
"version": "6.2.3"
}
}
2018-03-24T18:06:40.314+1100 DEBUG [harvester] log/log.go:85 End of file reached: /var/log/syslog; Backoff now.
2018-03-24T18:06:41.302+1100 DEBUG [harvester] log/log.go:85 End of file reached: /var/log/auth.log; Backoff now.