Hello,
I am trying to get filebeats to update the @timestamp with the timestamp processor but I think because the log timestamp is missing the year I am having some trouble.
example log:
Mar 12 07:06:38 asdefg/xx.xx.xx.xx sshd[7936]: Accepted password for zzzz from yy.yy.yy.yy port 36394 ssh2 on interface eth1
this is my filebeat.yml:
filebeat.inputs:
##############
- type: log
enabled: true
close_eof: true
paths: ["/logsAV/f2b/bcvev*/*.log"]
index: "bcvev"
processors:
- dissect:
tokenizer: "%{+DATE} %{+DATE} %{+DATE} %{host}/%{ipaddress|ip} %{protocol} %{status} %{} %{} %{user} %{} %{remoteip|ip} %{} %{port|integer} %{} %{} %{} %{interface}"
- timestamp:
ignore_failure: false
field: "DATE"
layouts:
- "Jan 02 15:04:05"
output.console:
pretty: true
enabled: true
This is a sample from console:
{
"@timestamp": "2022-03-28T22:18:23.998Z",
"@metadata": {
"beat": "filebeat",
"type": "_doc",
"version": "7.14.1",
"raw_index": "bcvev"
},
"message": "Mar 12 07:06:38 asdefg/xx.xx.xx.xx sshd[7936]: Accepted password for zzzz from yy.yy.yy.yy port 36394 ssh2 on interface eth1",
"input": {
"type": "log"
},
"ecs": {
"version": "1.10.0"
},
"host": {
"name": "av-backup01.openstacklocal"
},
"agent": {
"name": "av-backup01.openstacklocal",
"type": "filebeat",
"version": "7.14.1",
"hostname": "av-backup01.openstacklocal",
"ephemeral_id": "eeb47135-3ca7-4c4f-94ba-a3804521c12c",
"id": "1f051025-9d0c-41c4-8ae6-1a45d90ca418"
},
"dissect": {
"user": "zzzz",
"port": 36394,
"ipaddress": "xx.xx.xx.xx",
"protocol": "sshd[7936]:",
"DATE": "Mar 12 07:06:38",
"remoteip": "yy.yy.yy.yy",
"host": "asdefg",
"interface": "eth1",
"status": "Accepted"
},
"log": {
"file": {
"path": "/logsAV/f2b/bcvev-02-01/EMauditMar12.log"
},
"offset": 35662
}
}
Thanks in advance for any assistance!