This is a sample log that I want to parse:
type=EXECVE msg=audit(1684525987.999:148345): argc=2 a0="vim" a1="logstash-syslog.conf"
This is the grok filter I am trying:
type=%{WORD:type} msg=audit\(%{NUMBER:audit}\): argc=%{NUMBER:argc} a0="%{WORD:a0}" a1="%{DATA:a1}"
It doesn't seem to be working in online debuggers. Also assuming you can get it to work, can you also show the correct syntax in applying it in the Logstash config?
Hi @roman-tasi,
Your grok pattern doesn´t match.
I am not sure if you wanted the number part after the colon in the audit field.
This pattern excludes that number:
type\=%{WORD:type} msg\=audit\(%{NUMBER:audit}\:%{NUMBER}\)\: argc\=%{NUMBER:argc} a0\=\"%{WORD:a0}\" a1\=\"%{DATA:a1}\"
This results in:
[
{
"type": "EXECVE",
"audit": 1684525987.999,
"argc": 2,
"a0": "vim",
"a1": "logstash-syslog.conf"
}
]
And this one includes it but it is no longer a number.:
type\=%{WORD:type} msg\=audit\((?<audit>[\d\.\:]*)\)\: argc\=%{NUMBER:argc} a0\=\"%{WORD:a0}\" a1\=\"%{DATA:a1}\"
It wil results in:
[
{
"type": "EXECVE",
"audit": "1684525987.999:148345",
"argc": 2,
"a0": "vim",
"a1": "logstash-syslog.conf"
}
]
Also, see this thread for another approach to such messages.
Hi, I am trying this in my Logstash config:
if [log][file][path]=="/var/log/audit/audit.log" {
kv {
field_split => " "
value_split => "="
source => "message"
trim_key => "\""
trim_value => "\""
remove_field => ["message"]
}
}
However it causes all logs from /var/log/audit/audit.log to not come into Kibana. Once I comment that code out, the logs start coming in again. What do you think its causing it to act like this? And is there a fix?
Also @Badger ->this<- seems to be the exact issue I am having, which you also commented on but was not resolved. I'm just curious on the solution!
Remove the current output and replace it with
output { stdout { codec => rubydebug } }
and see what the messages look like.
@Badger I think I already have been implementing that. Here's my current output in my Logstash config:
output {
if [type]=="syslog" {
if [m] in [ "1080", "745", "263", "1079" ] {
elasticsearch {
hosts => ["localhost:9200"]
index => "account-access-%{+yyyy.MM}"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "syslog-%{+yyyy.MM.dd}"
}
}
stdout { codec => rubydebug }
}
if [type]=="beats" {
if [host][os][type]=="linux" {
if [host][name]=="mail.uhtasi.org" {
if [cmd]=="Auth"{
elasticsearch {
hosts => ["localhost:9200"]
index => "account-access-%{+yyyy.MM}"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "zimbra-%{+yyyy.MM.dd}"
}
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "linux-%{+yyyy.MM.dd}"
}
}
}
if [host][os][type]=="windows" or [agent][name]=="DCON2" or [agent][name]=="Dcon3" {
if [event][code] in [ "307", "4624", "4625", "4634", "4723", "4740", "4767", "11707" ] {
elasticsearch {
hosts => ["localhost:9200"]
index => "account-access-%{+yyyy.MM}"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "winlogbeat-%{+yyyy.MM.dd}"
}
}
}
stdout { codec => rubydebug }
}
}
Also here is some lines from the /var/log/messages file related to /var/log/audit/audit.log :
Jun 1 20:40:03 ELK-Stack filebeat: "path": "/var/log/audit/audit.log"
Jun 1 20:40:03 ELK-Stack filebeat: "path": "/var/log/audit/audit.log"
Jun 1 20:40:07 ELK-Stack filebeat: 2023-06-01T20:40:07.799-1000#011DEBUG#011[input.filestream]#011filestream/prospector.go:188#011File /var/log/audit/audit.log has been updated#011{"id": "my-filestream-id", "prospector": "file_prospector", "operation": "write", "source_name": "native::201877637-64768", "os_id": "201877637-64768", "new_path": "/var/log/audit/audit.log", "old_path": "/var/log/audit/audit.log"}
Jun 1 20:40:09 ELK-Stack filebeat: "message": "Jun 1 20:40:03 ELK-Stack filebeat: \"path\": \"/var/log/audit/audit.log\"",
Jun 1 20:41:07 ELK-Stack filebeat: 2023-06-01T20:41:07.092-1000#011DEBUG#011[input.filestream]#011filestream/filestream.go:131#011End of file reached: /var/log/audit/audit.log; Backoff now.#011{"id": "my-filestream-id", "source": "filestream::my-filestream-id::native::201877637-64768", "path": "/var/log/audit/audit.log", "state-id": "native::201877637-64768"}
Jun 1 20:41:37 ELK-Stack filebeat: 2023-06-01T20:41:37.103-1000#011DEBUG#011[input.filestream]#011filestream/filestream.go:131#011End of file reached: /var/log/audit/audit.log; Backoff now.#011{"id": "my-filestream-id", "source": "filestream::my-filestream-id::native::201877637-64768", "path": "/var/log/audit/audit.log", "state-id": "native::201877637-64768"}
Also notice its related to filebeat not logstash
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.