Greeting:
I'm trying to send syslogs to my elasticsearch by using logstash, My syslogs containers entries like below
1. Apr 15 22:10:23 myubuntuhost Console[16]: time="2018-04-15T22:10:23.462460809Z" type="scan_summary" log_type="image" image_id="mynewregistry.org/image:latest" image_name="mynewregistry.org/image:latest" vulnerabilties="612" compliance="2"
2. Apr 15 22:10:23 myubuntuhost Console[16]: time="2018-04-15T22:10:23.462460809Z" type="scan_summary" log_type="image" image_id="mynewregistry.org/image3:latest" image_name="mynewregistry.org/image3:latest" vulnerabilties="138" compliance="2"
I'm using below config file to filter
input {
file {
path => ["/var/log/console.log"]
type => "syslog"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["https://localhost:443"]
index => "regscan-%{+YYYY.MM.dd}"
document_type => "system_logs"
}
stdout { codec => rubydebug }
}
while sending logs, i'm seeing results are going in this way
{
"syslog_severity" => "notice",
"type" => "syslog",
"syslog_pid" => "16",
"syslog_facility_code" => 1,
"message" => "Apr 15 22:11:00 myubuntuhost Console[16]: time=\"2018-04-15T22:11:00.521019771Z\" type=\"scan_summary\" log_type=\"image\" image_id=\"mynewregistry.org/image:latest\" image_name=\"mynewregistry.org/image:latest\" vulnerabilties=\"138\" compliance=\"2\"",
"syslog_hostname" => "myubuntuhost",
"syslog_severity_code" => 5,
"@timestamp" => 2018-04-15T22:11:00.000Z,
"syslog_program" => "Console",
"syslog_message" => "time=\"2018-04-15T22:11:00.521019771Z\" type=\"scan_summary\" log_type=\"image\" image_id=\"mynewregistry.org/image:latest\" image_name=\"mynewregistry.org/image:latest\" vulnerabilties=\"138\" compliance=\"2\"",
"syslog_facility" => "user-level",
"@version" => "1",
"host" => "myubuntuhost",
"received_at" => "2018-04-15T22:11:00.753Z",
"received_from" => "myubuntuhost",
"path" => "/var/log/console.log",
"syslog_timestamp" => "Apr 15 22:11:00"
}
I would like to in such a way that i can filter by each column such as image name, vulnerability and compliance