How to Split Message Field with Exchange LOG Information

Eric_Santos · April 1, 2019, 6:39pm

Today, I can send the LOGs from Exchange messages to Kibana using filebeat, but I need more fields that are sent in a unique way in the message field.

My logstash.conf is:

#udp syslogs stream via 5141
input {
udp {
type => "log"
port => 5141
}
}

filter {
if [type] == "log" {
csv {
add_tag => [ 'exh_msg_trk' ]
columns => ['logdate', 'client_ip', 'client_hostname', 'server_ip', 'server_hostname', 'source_context', 'connector_id', 'source', 'event_id', 'internal_message_id', 'message_id', 'network_message_id', 'recipient_address', 'recipient_status', 'total_bytes', 'recipient_count', 'related_recipient_address', 'reference', 'message_subject', 'sender_address', 'return_path', 'message_info', 'directionality', 'tenant_id', 'original_client_ip', 'original_server_ip', 'custom_data']
remove_field => [ "logdate" ]
}
grok {
match => [ "message", "%{TIMESTAMP_ISO8601:timestamp}" ]
}
mutate {
convert => [ "total_bytes", "integer" ]
convert => [ "recipient_count", "integer" ]
split => ["recipient_address", ";"]
split => [ "source_context", ";" ]
split => [ "custom_data", ";" ]
}
date {
match => [ "timestamp", "ISO8601" ]
timezone => "Europe/London"
remove_field => [ "timestamp" ]
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
}

output {
elasticsearch { host => X.X.X.X:9200 }
stdout { codec => rubydebug }

nickpeihl · April 1, 2019, 11:30pm

I don't see how this relates to Kibana. Are you sure you didn't mean to put this post in the Logstash forum?

Eric_Santos · April 2, 2019, 2:03pm

Hello! I do not know exactly. I started using the solution very recently. I can not see the correct information in Kibana (according to the screen I sent), but I do not know where to correct the problem.

system · April 30, 2019, 2:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.