Grok filter not triggered

pol4bear · February 16, 2020, 4:15pm

Hi. I'm trying to transfer data from filebeat and metricbeat. I'm using Elastic Stack 7.6.0 and I saw document on Elastic homepage. Configure below is my logstash.conf but metricbeat works well but filebeat's apache2 and system not triggered. Is there any error in my configure?

input {
  beats {
    port => 5044
    host => "localhost"
  }
}
filter {
  if [@metadata][beat] == "filebeat" {
    if [fileset][module] == "apache2" {
      mutate {
        add_field => { "log_module" => "apache" }
      }
      if [fileset][name] == "access" {
        mutate {
          add_field => { "log_type" => "access" }
        }

        grok {
          match => { "message" => ["%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \[%{HTTPDATE:[apache2][access][time]}\] \"%{WORD:[apache2][access][method]} %{DATA:[apache2][access][url]} HTTP/%{NUMBER:[apache2][access][http_version]}\" %{NUMBER:[apache2][access][response_code]} %{NUMBER:[apache2][access][body_sent][bytes]}( \"%{DATA:[apache2][access][referrer]}\")?( \"%{DATA:[apache2][access][agent]}\")?",
            "%{IPORHOST:[apache2][access][remote_ip]} - %{DATA:[apache2][access][user_name]} \\[%{HTTPDATE:[apache2][access][time]}\\] \"-\" %{NUMBER:[apache2][access][response_code]} -" ] }
          remove_field => "message"
        }
        mutate {
          add_field => { "read_timestamp" => "%{@timestamp}" }
        }
        date {
          match => [ "[apache2][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
          remove_field => "[apache2][access][time]"
        }
        useragent {
          source => "[apache2][access][agent]"
          target => "[apache2][access][user_agent]"
          remove_field => "[apache2][access][agent]"
        }
        geoip {
          source => "[apache2][access][remote_ip]"
          target => "[apache2][access][geoip]"
        }
      }
      else if [fileset][name] == "error" {
        mutate {
          add_field => { "log_type" => "error" }
        }
        grok {
          match => { "message" => ["\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{LOGLEVEL:[apache2][error][level]}\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message]}",
            "\[%{APACHE_TIME:[apache2][error][timestamp]}\] \[%{DATA:[apache2][error][module]}:%{LOGLEVEL:[apache2][error][level]}\] \[pid %{NUMBER:[apache2][error][pid]}(:tid %{NUMBER:[apache2][error][tid]})?\]( \[client %{IPORHOST:[apache2][error][client]}\])? %{GREEDYDATA:[apache2][error][message1]}" ] }
          pattern_definitions => {
            "APACHE_TIME" => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
          }
          remove_field => "message"
        }
        mutate {
          rename => { "[apache2][error][message1]" => "[apache2][error][message]" }
        }
        date {
          match => [ "[apache2][error][timestamp]", "EEE MMM dd H:m:s YYYY", "EEE MMM dd H:m:s.SSSSSS YYYY" ]
          remove_field => "[apache2][error][timestamp]"
        }
      }
    }
    else if [fileset][module] == "system" {
      mutate {
        add_field => { "log_module" => "system" }
      }
      if [fileset][name] == "auth" {
        mutate {
          add_field => { "log_type" => "auth" }
        }
        grok {
          match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?",
                    "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}",
                    "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}",
                    "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}",
                    "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
                    "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][useradd][name]}, UID=%{NUMBER:[system][auth][useradd][uid]}, GID=%{NUMBER:[system][auth][useradd][gid]}, home=%{DATA:[system][auth][useradd][home]}, shell=%{DATA:[system][auth][useradd][shell]}$",
                    "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }
          pattern_definitions => {
            "GREEDYMULTILINE"=> "(.|\n)*"
          }
          remove_field => "message"
        }
        date {
          match => [ "[system][auth][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        }
        geoip {
          source => "[system][auth][ssh][ip]"
          target => "[system][auth][ssh][geoip]"
        }
      }
      else if [fileset][name] == "syslog" {
        mutate {
          add_field => { "log_type" => "syslog" }
        }
        grok {
          match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }
          pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
          remove_field => "message"
        }
        date {
          match => [ "[system][syslog][timestamp]", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
      }
      }
    }
  }
  else if [@metadata][beat] == "metricbeat"  {
    mutate {
      add_field => { "log_module" => "metric" }
    }
    mutate {
      add_field => { "log_type" => "metric" }
    }
  }
  
}
output {
  elasticsearch {
    hosts => "192.168.0.101"
    manage_template => false
    index => "%{[log_module]}-%{[log_type]}"
  }
}

ITIC · February 17, 2020, 10:45am

Hi

I'd suggest you add a stdout{} plugin to your otuput{} and use that information to debug your filter.

Hope this helps

pol4bear · February 17, 2020, 11:03am

Hi

I found that [fileset][module] is not triggered. Everything without [fileset][module] works file. On now I removed [fileset][module] statement because [fileset][name] has no duplicated name so it works fine tho.

I think Filebeat's [fileset][module] feature removed on 7.6.0 or maybe the bug only belongs to me. But, if is not 7.6.0 document has to be updated.

system · March 16, 2020, 11:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.