How to use "syslog_hostname" in Kibana Visualization?

Cdnvballer · May 17, 2017, 11:47pm

Hi,

I'm very new to ELK ; managed to set up an environment where syslog events are shipped via Filebeat to an ELK server for the actual reporting.... From Kibana --> Discover, I can see the active syslog events , and can filter to events of interest when specifying "source" along with fields "syslog_hostname" and "message" . I saved the search... =)

Now, I'd like to create a visualization, i.e. events over time, but using the "syslog_hostname" to identify the actual sendiers.. as opposed to using Filebeats index "source" which seems to only show the address of the syslog collector... . .. how is this done? I try to specify the saved search, but from there I'm stuck...

Bargs · May 19, 2017, 8:01pm

Can you elaborate a bit more on what kind of graph you'd like to create? For instance, are you trying to create a line chart with a separate line for each "syslog_hostname"?

Cdnvballer · May 20, 2017, 5:01pm

I'm looking to create a vertical bar chart that tracks the # of events over time.
From some examples I've seen, Y-axis is count of events, X-Axis would be time, but the bar itself can somehow be split up to show a breakdown on the actual Ip addresses? (using some sort of Sub-aggregation)....

similar to what's shown here, where the bar is divided into multiple IP addresses...

Cdnvballer · May 20, 2017, 5:12pm

To add,
I'm using the following for part of my logstash config... thanks

filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:sys
log_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

Bargs · May 22, 2017, 3:15pm

If I'm understanding correctly, I think you'll want to do something like below. Change "clientip" in the terms agg into "syslog_hostname". Let me know if this isn't quite what you want.

Cdnvballer · May 22, 2017, 5:38pm

Thanks Matt,

this is exactly what I want to do, but I run into this problem:

using my filebeats input , I can create the initial vertical bar graph and add Date Histogram to the X-Axis.
when I try to add the Sub aggregation, I can't seem to select or specify "syslog_hostname" from the list of "Terms"

Bargs · May 22, 2017, 6:01pm

Does syslog_hostname show up in the list of fields on the index pattern management screen (example below)? If not, could you try refreshing the field list by clicking on the Refresh icon on the same page?

Cdnvballer · May 22, 2017, 6:33pm

Thanks!
this was exactly what was needed -- after refreshing that list, I was able to select the term from the drop-down list

Much Appreciated!!

system · June 19, 2017, 6:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.