Howto locate Logstash variables in Elasticsearch and Kibana

mohamad.faisel · September 25, 2019, 5:01am

Hi,

I have the following logstash config for filterlog stored in 'conf' subdirectory inside my home directory

--- Begin ~/conf/filterlog.conf ---
input {
file{
path => "/var/log/10.9.8.1/filterlog.log"
start_position => "beginning"
}
}

filter {
if [fileset][module] == "system" {
if [fileset][name] == "filterlog" {
grok {
match => {
"message" =>"%{TIMESTAMP_ISO8601:pf_date} %{WORD:pf_hostname} %{WORD:pf_service}: %{POSINT:pf_rule},%{POSINT:pf_subrule}?,%{DATA:pf_anchor}?,%{POSINT:pf_trackerid}?,%{WORD:pf_ifc},%{WORD:pf_reason},%{WORD:pf_action},%{WORD:pf_direction},%{POSINT:pf_ip_version},%{WORD:pf_tos}?,%{WORD:pf_ecn}?,%{POSINT:pf_ttl}?,%{POSINT:pf_id}?,%{POSINT:pf_offset}?%{GREEDYDATA:pf_csvdata}"
}
}
date {
match => ["pf_date", "ISO8601"]
target => "event_timestamp"
}
}
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
index=> "%{[@metadata][beat]}-%{[@metadata][version]}-%{+yyyy.MM.dd}-filterlog"
manage_template => false
}
stdout{
codec => rubydebug
}
}
--- End ~/conf/filterlog.conf ---

I could see all the pf_* variables from CLI using this command:
sudo -u logstash /usr/share/logstash/bin/logstash --debug --path.settings logstash ~/conf/

How do I check those variables in Elasticsearch & Kibana ?

Thank you.

spinscale · September 25, 2019, 11:53am

I am not sure I understand the question. The defined variables in the grok filter will be fields in the document that is indexed into kibana. Is this what you are after?

mohamad.faisel · September 26, 2019, 3:52am

Thank you. I have found a better sampel in freecodecamp to better undestand how the logstash filter works.

Thank you for your prompt response.

system · October 24, 2019, 3:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.