How we can add extra field in SSH Login Attempt [Filebeat System] dashboard


(Tek Chand) #1

Hello Team,

I am using ELK 6.4.0 and Beat (Filebeat). My architecture is Filebeat->Logstash->Elasticsearch->Kibana.

I am sending my auth.log using filebeat but i am not using filebeat system module. Because Filebeat system module can't use directly with logstash. So i am using logstash pipeline.

I have created a field for a auth log and this filed is visible on kibana dashboard. But now i want to add this field into my SSH Login Attempt dashboard.

So i have tried to add my newly created filed in saved searches for SSH Login Attempt dashboard and fields were showing in left hand side on dashboard but my newly created field is not present in that list.

Can you please help me how we can add that filed?

Any assistance will be appreciated.

Thanks.


(Tek Chand) #2

i have done it.

Thanks.


(Brandon Kobel) #3

Hey @Tek_Chand, I'm glad to hear you were able to solve your issue. If you get the chance, if you could share what you did to resolve your issue, it can help others that are having similar issues.


(Tek Chand) #4

@Brandon_Kobel,

Sure, i have followed the below steps:

As i mentioned in my first post that i am using logstash pipeline to use the Filebeat Dashboards.

  1. I have write the Grok pattern for my log line with all the required field which i need.
  2. Now restarted the logstash service in order made my changes effective.
  3. Now all the required fields were visible on Kibana dashboard.

Now we need to add our required field in SSH Login Attempt [Filebeat] dashboard.

We can add the filed according to us by making the changes in Saved Searches for SSH Login Attempt Dashboard. We can reach there by following the below step:

  1. Click on Discover tab on left hand site on kibana dashboard.
  2. Now click on Open tab on right hand top corner in Kibana dashboard.
  3. Now you will see the list of many saved serches and choose SSH Login Attempt Dashboard.
  4. Once you open that dashboard in new tab you will see the list of all by defaults fields on left hand side of kibana dashbaord. Now you can add or remove as per your requirements.
  5. After making changes click on save tab on kibana dashboard. Save without selecting save as new serach.

I got above issue because earlier when i wrote my grok pattern none of the field were match with any by default fileds available in SSH Login Attempt dashboard.

So again i made some changes in my Grok pattern and give the one field name as it is which available in by default fields. Now when i follow that same steps again to make changes in my SSH Login Attempts Dashboard and i saw all the newly created fields in list.

Above steps may be not quite clear. But i am hoping it will give a lead in that direction. :slight_smile:
Thanks.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.