Filtering rules in Logstash


(Arvind Singh) #1

I have configured few filebeats machines and they all are sending logs ( whatever configured). For instance I have applied filtering for /var/log/auth.log. Now I am getting too much of data. I want to record only this type of logs ad then send it to Kibana " Failed password for root from 61.177.172.69 port 20080 ssh2"

Here are 3 files that I am using now:-

02-beats-input.conf

input {
beats {
port => 5044
ssl => false
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
}
}

10-syslog-filter.conf
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

30-elasticsearch-output.conf
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

Can someone please point what all filter I can apply over here....


(Bhargav Narine) #2

Hi,

Try to use a conditional.
Something like

if "Failed password for root" in [syslog_message] {
elasticsearch {

}

}


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.