Having issues importing logs to elasticsearch, Grok Issue?

k.m.graybill · June 12, 2019, 3:34pm

I'm trying to import log files from kiwi to elasticsearch using logstash. These log files are ANSI encoded with each log entry separated by a newline.

2019-05-24 11:23:25 Daemon.Notice WIN-DLI9AO07ERU May 24 11:23:24 WIN-DLI9AO07ERU Service_Control_Manager: 7036: The Windows Update service entered the running state.

That is an example of the logs I'm dealing with, and this is the config file I created for it.

input {
  file {
    file_sort_by => "last_modified"
    mode => "tail"
    path => "/home/elkbnk/Kiwi Log Files/*.txt"
    start_position => "beginning"
    codec => line {
      charset => "Windows-1252"
    }
    type => "kiwisyslog"
    tags => ["_kiwisyslog"]
    sincedb_path => "/home/elkbnk/Kiwi Log Files/.sincedb"
  }
}

filter {
  grok {
    match => {
      "message" => ["%{SYSLOGBASE5}\s%{GREEDYDATA:[kiwi][syslog][message]}"]
    }
    pattern_definitions => {
      "FACILITIES" => "(\w+)"
      "SYSLOGBASE5" => "%{TIMESTAMP_ISO8601:@timestamp}\t%{FACILITIES:[kiwi][syslog][facility]}.%{LOGLEVEL:[kiwi][syslog][level]}\t%{SYSLOGHOST:[host][name]}\t%{SYSLOGTIMESTAMP:[kiwi][sysl$
    }
    tag_on_failure => "_grokparsefailure"
  }
  date {
    match => [ "@timestamp", "yyyy-mm-dd HH:mm:ss" ]
    tag_on_failure => "_dateparsefailure"
  }
}

output
{
  file{
    path => "/tmp/logstashfiletest.txt"
  }
  if "_grokparsefailure" not in [tags]
  {
    if "_dateparsefailure" not in [tags]
    {
      elasticsearch
      {
        hosts => ["https://10.21.112.119:9200"]
        user => "logstash_internal"
        password => Whoops, nothing to see here
        ssl => true
        cacert => "/etc/certs/elastic-stack-ca.pem"
      }
    } else
    {
      file
      {
        path => "/var/log/parsefailure/dateparsefailure.log"
      }
    }
  } else
  {
    file
    {
      path => "/var/log/parsefailure/grokparsefailure.log"
    }
  }
}

I used to have a check before the filter and output to see if it should go through that processing, but I removed it and all other inputs for testing purposes. That is also the only config file I have in the directory. No output files are made whether they are the parsefailure logs nor the test output file. It is also not showing up in kibana.

The debug logs show that the files are getting inputted line by line:

[2019-06-12T15:11:41,381][DEBUG][logstash.inputs.file ] Received line {:path=>"/home/elkbnk/Kiwi Log Files/SyslogCatchAll-2019-04-01.txt", :text=>"2019-04-01 00:50:24\tDaemon.Notice\tWIN-DLI9AO07ERU\tApr 1 00:50:23 WIN-DLI9AO07ERU Service_Control_Manager: 7036: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.\r"}

Before I moved the other config file, filebeat data was flowing through fine, I just can't get the logs to work.
Any help would be greatly appreciated and I'd be happy to provide more logs and info if you need it.

k.m.graybill · June 12, 2019, 6:39pm

So upon further testing, touching the log files created them and I got 1 line of output in both the testlog file and grokparsefailure file. This is a bit of the testlog file:

{"kiwi":{"syslog":{"level":"Notice","facility":"Daemon"}},"host":"localhost.localdomain","message":"2019-04-01 00:50:24\tDaemon.Notice\tWIN-DLI9AO07ERU\tApr 1 00:50:23 WIN-DLI9AO07ERU Service_Control_Manager: 7036: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.\r2019-04-01 00:53:24\tDaemon.Notice\tWIN-DLI9AO07ERU\tApr 1 00:53:23 WIN...

It seems to not be splitting the lines, but rather smashing them all together for some reason. The log file says that it's interpreting each line individually, so I don't know why it's not working like that. That might also be why there's a parse failure.

Also, the input files are partially tab-delimited, is logstash interpreting those tabs as tab characters or literally "/t", that may also be causing issues. I don't know how nano or logstash's logging deals with tab characters.

Badger · June 12, 2019, 7:55pm

Not sure why you would expect those to be split. You have \r embedded in the string. That is not a line terminator on either UNIX (which uses \n) or Windows (which uses \r\n). Are you pulling files from a Mac OS box?

k.m.graybill · June 12, 2019, 7:58pm

No, they're coming out of a windows text file.

Badger · June 12, 2019, 8:00pm

Then I wonder if the codec+charset is wrong. What happens if you remove that?

k.m.graybill · June 13, 2019, 6:51pm

I removed the charset line and it didn't even write to the log files. When I removed both it started working, sans some minor grok and date debugging. Now I'm having an issue where logstash is sending too many requests to elastic search and getting rejected. Is there a way to slow down the output or at least hold those events in the pipeline until elasticsearch can accept them, then push them through again?

k.m.graybill · June 13, 2019, 7:41pm

Ok, I didn't realize it was still going through and sending the logs even though it was throwing those messages. Everything working well now. Thank you for your help!!

system · July 11, 2019, 7:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.