How to dispay hostname and host ip on my elastic search output?

Elastic Stack Logstash
1

Hi,

Can help me please extract the host name from the message output (devname) in elasticsearch. In my current config on the host portion only ip is displayed.

Current config:
input {
syslog {
port => 5000
host => "0.0.0.0"
}
}

filter {
if [port] == "5000" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

output {
elasticsearch {
hosts => "https://192.168.205.162:9200"
index => "estack-test-pipeline-index"
user => "elastic"
password => "xxxxxx"
cacert => "/etc/logstash/newfile.crt.pem"
ssl_certificate_verification => false
}
stdout { codec => rubydebug }
}

result on discover tab in kibana:
Jun 15, 2021 @ 12:45:56.902 @timestamp:

Jun 15, 2021 @ 12:45:56.902

@version:

1

@version.keyword:

1

facility:

0

facility_label:

kernel

facility_label.keyword:

kernel

host:

172.30.255.254

host.keyword:

172.30.255.254

message:

<189>date=2021-06-15 time=12:45:56 devname=PB43-OOB-FW01 devid=FG100D3G12812502 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=172.30.255.125 srcport=37748 srcintf="Po1.2550" dstip=192.168.91.214 dstport=135 dstintf="Po2.200" poluuid=88454b80-247f-51e9-759d-19191ca2d707 sessionid=3216852476 proto=6 action=timeout policyid=3 policytype=policy dstcountry="Reserved"

result in systemctl status logstash:
Jun 15 12:45:59 bgc-elk logstash[5081]: "@version" => "1",
Jun 15 12:45:59 bgc-elk logstash[5081]: "@timestamp" => 2021-06-15T04:45:59.293Z,
Jun 15 12:45:59 bgc-elk logstash[5081]: "severity" => 0
Jun 15 12:45:59 bgc-elk logstash[5081]: }
Jun 15 12:45:59 bgc-elk logstash[5081]: {
Jun 15 12:45:59 bgc-elk logstash[5081]: "priority" => 0,
Jun 15 12:45:59 bgc-elk logstash[5081]: "facility_label" => "kernel",
Jun 15 12:45:59 bgc-elk logstash[5081]: "host" => "172.30.255.254",
Jun 15 12:45:59 bgc-elk logstash[5081]: "facility" => 0,
Jun 15 12:45:59 bgc-elk logstash[5081]: "severity_label" => "Emergency",

2

Use a kv filter to parse [syslog_message]

3

Hi Badger,

Thank you. I was able to parse out the syslog message thru adding kv filter with grok. You were a great help!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.