How to add hostname to logs that normally do not contain hostname?

Michael1 · June 28, 2016, 2:43pm

I am trying to send SharePoint logs to Logstash and the typical SharePoint logs do not contain the server name. Would I have to do this somewhere in the Beats config, or?

steffens · June 28, 2016, 3:07pm

See common beats exported fields doc for filebeat: https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-env.html

Michael1 · June 28, 2016, 3:08pm

I got that, but how would you parse it with GROK?

steffens · June 28, 2016, 3:10pm

no need to parse. the field is part of the event as presented to logstash. You can access the hostname via [beat][hostname] in logstash.

Michael1 · June 28, 2016, 3:23pm

So you do not need to add anything to logstash.conf in the input/output sections to be able to display the hostname in Kibana for each of those logs?

andrewkroh · June 28, 2016, 3:48pm

No, Filebeat always adds a beat.hostname field to every event it sends and this will be visible is Kibana.

Michael1 · June 28, 2016, 5:40pm

I still don't see this. I am trying to send the following log to Logstash ::

Timestamp Process TID Area Category EventID Level Message Correlation
06/28/2016 13:55:09.12 w3wp.exe (0x1890) 0x0D28 SharePoint Foundation Client File Access 0000 Monitorable [CsiSandbox Stats] Stack Size: 1 Total Created: 7 Max At Once: Total 1 164325c1-3dbd-43d5-a83c-60e9af2498d9

This is the GROK I am using in logstash.conf ::

%{DATESTAMP:parsedtime} \t%{DATA:process} (%{DATA:processcode})(\s*)\t%{DATA:tid}(\s*)\t%{DATA:area}(\s*)\t%{DATA:category}(\s*)\t%{WORD:eventID}(\s*)\t%{WORD:level}(\s*)\t%{DATA:eventmessage}\t%{UUID:CorrelationID}

%{DATESTAMP:parsedtime} \t%{DATA:process} (%{DATA:processcode})(\s*)\t%{DATA:tid}(\s*)\t%{DATA:area}(\s*)\t%{DATA:category}(\s*)\t%{WORD:eventID}(\s*)\t%{WORD:level}(\s*)\t%{GREEDYDATA:eventmessage}

This is how it comes out in Kibana, and it doesn't show the hostname either ::

message: \u0006\t\x98-7\xCE\xF1\xB03\u001E\x9C-jd\xA7\x88\u0005\xDB\xF8M+\x9D+\xAD\x976\u000FZ\x93I\xEBu\xBA^\xF1\xA7\xF9LH\u001E\v\x99\x88$\u001Eq9\x94\xB2_ڜ"m\x96\u0005\xA0P\u0011\xB1

tags: _grokparsefailure

I checked my GROK in the debugger and it parsed those fields properly. I notice when I configure filebeat to output to file only, it is in JSON format. Does that need to be parsed instead of what is inside the actual log file it is collecting input from to send to Logstash?

andrewkroh · June 28, 2016, 9:04pm

Can you please share the configurations you are using for Filebeat and Logstash.

Michael1 · June 29, 2016, 2:16pm

Sure ::

Filebeat ::

############################# Filebeat ######################################
filebeat:
  # List of prospectors to fetch data.
  prospectors:

      paths:
        - F:\Logs\ULS\STSP*.log
 
      input_type: log

      document_type: ULS

  idle_timeout: 10s

  registry_file: "C:/ProgramData/filebeat/registry"

output:

  ### Logstash as output
  logstash:
    # The Logstash hosts
    hosts: ["10.0.1.9:60115"]

    index: ad-app-sharepoint

shipper:

  name:

logging:

  files:
    # The directory where the log files will written to.
    path: f:\filebeat\logs

    rotateeverybytes: 10485760 # = 10MB

    level: info

Logstash ::

input {
    tcp {
        port => 60115
        type => "ULS"
    }
}

filter {
    if [type] == "ULS" {
        grok {
            match => {
                "message" => "%{DATESTAMP:parsedtime} \t%{DATA:process} \(%{DATA:processcode}\)(\s*)\t%{DATA:tid}(\s*)\t%{DATA:area}(\s*)\t%{DATA:category}(\s*)\t%{WORD:eventID}(\s*)\t%{WORD:level}(\s*)\t%{DATA:eventmessage}\t%{UUID:CorrelationID}"
            }
            match => {
                "message" => "%{DATESTAMP:parsedtime} \t%{DATA:process} \(%{DATA:processcode}\)(\s*)\t%{DATA:tid}(\s*)\t%{DATA:area}(\s*)\t%{DATA:category}(\s*)\t%{WORD:eventID}(\s*)\t%{WORD:level}(\s*)\t%{DATA:eventmessage}\t%{UUID:CorrelationID}"
            }
                        match => {
                "message" => "%{DATESTAMP:parsedtime} \t%{DATA:process} \(%{DATA:processcode}\)(\s*)\t%{DATA:tid}(\s*)\t%{DATA:area}(\s*)\t%{DATA:category}(\s*)\t%{WORD:eventID}(\s*)\t%{WORD:level}(\s*)\t%{GREEDYDATA:eventmessage}"
            }
                    match => {
                "message" => "%{DATESTAMP:parsedtime} \t%{DATA:process} \(%{DATA:processcode}\)(\s*)\t%{DATA:tid}(\s*)\t%{DATA:area}(\s*)\t%{DATA:category}(\s*)\t%{WORD:eventID}(\s*)\t%{WORD:level}(\s*)\t%{GREEDYDATA:eventmessage}"
            }
        }
        date {
                match => ["parsedtime","MM/dd/YYYY HH:mm:ss.SSS"]
             }
    }
}

output {
 
  if [type] == "ULS" {
    elasticsearch {
        hosts => ["10.0.1.6", "10.0.1.4", "10.0.1.5"]
        index => "ad-app-sharepoint-%{+YYYY.MM.dd}"
        template => "/data/elk-conf/ad-app-sharepoint-template-index.yml"
        template_name => "ad-app-sharepoint"
        user => "shieldadmin"
        password => "shieldadminpassword"
    }
  }
}

steffens · June 29, 2016, 3:52pm

why have you configured the tcp input plugin? Use the beats input plugin, which can correctly handle the protocol used to push events logstash.

Michael1 · June 29, 2016, 4:01pm

Great tip, I have changed the input to beats, instead of tcp. As a side note it must have been tcp due to using nxlog before but now using beats.

So, now the logs appear in Kibana, but I am still seeing a grokparsefailure. I no longer see the cryptic message, however.

It is lumping the whole log into the 'message' field, and not separating them into different fields, which is what I thought Logstash does.

Michael1 · June 29, 2016, 4:32pm

....and suddenly, it starts parsing the fields correctly....

Michael1 · June 29, 2016, 5:03pm

What would cause a bunch of these? It errors the index in Kibana when accessing...

2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T16:55:42Z INFO Read line error: file inactive
2016-06-29T17:00:16Z INFO Events sent: 2
2016-06-29T17:00:16Z INFO Registry file updated. 2152 states written.
2016-06-29T17:00:17Z INFO Read line error: file inactive

steffens · June 30, 2016, 9:54am

file inactive is generated when file is closed after close_older, due to file has not been changes in a duration of close_older. Message can be ignored, as it's normal behavior. The log should be changed to Closing inactive file <filename>. With INFO message in filebeat are supposed to show progress I'm not sure it makes sense to downgrade message to DEBUG level.

system · July 19, 2016, 2:43pm

This topic was automatically closed after 21 days. New replies are no longer allowed.