How to seperate message field filebeat

Elastic Stack Logstash
1

Guys, how can I seperate message field with filebeat to more field ? It keep just giving me message field, I am trying to use grok filter but it does not work. Filebeat agent work in 1 machine meanwhile elastic server work in another machine.
2020-10-14T01:57:40.537+0700 8.8.8.8 34 10.121.42.12 97 nophoso chrome
for example log like this

this is my grok filter
'input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:time} %{IP:ipsend} %{NUMBER:ports} %{IP:ipreceive} %{NUMBER:portr} %{WORD:action} %{WORD:td}" }
}
}
output {
elasticsearch { hosts => ["10.151.128.97:9200"]
hosts => "10.151.128.97:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
'
Pls help me . Tks

2

anyone pls help me, I still can't deal with this problem yet

3

With that message and that grok filter I get

 "ipreceive" => "10.121.42.12",
     "portr" => "97",
        "td" => "chrome",
    "ipsend" => "8.8.8.8",
    "action" => "nophoso"
   "message" => "2020-10-14T01:57:40.537+0700 8.8.8.8 34 10.121.42.12 97 nophoso chrome for example log like this",

etc. I do not see a problem.

1 Like
4

I use Kibana/elastic/logstash server on 10.151.128.97 and I use filebeat on 10.157.128.98 server. I change the grok filter on logstash server. The message field still does not seperate to 7 field. So do u think what did I do wrong ?

5

I cannot say.

6

Perhaps, you need to set the output to rubudebug and paste the result here, so we can see whats the problem.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.