I am getting message output data in logstash but i want to parse it to json

Elastic Stack Logstash
1

input{
exec {
command => "netstat"
interval => 30
}
beats{
port =>5044
}
}
filter{
grok{
match => {"message" => [
#reqout grok:
"%{DATESTAMP:time} (::slight_smile: [%{DATA:req}(:)][(RQID:)%{DATA:rqId}][(STV:)%{DATA:stv}][(S:)%{DATA:s}][(RQC:)%{DATA:rqc}][(UN:)%{DATA:un}][(CAT:)%{DATA:cat}][(MSISDN:)%{DATA:msisdn}][(USt:)%{DATA:ust}][(UNW:)%{DATA:unw}][(DSMS:)%{DATA:dsms}][(TEMPTID:)%{DATA:temptid}][(UDH:)%{DATA:udh}][(ST:)%{DATA:st}][(SRVPRT:)%{DATA:srvprt}][(OINFO:)%{DATA:oinfo}(,MsgReq=)%{DATA:msgreq}(,FT=)%{DATA:ft} (ResTyp=)%{DATA:restyp}][(RETMSG:)%{DATA:retmsg}][%{DATA:fixedInfNtAvail}][(TT:)%{NUMBER:tt:int} %{DATA:timeunit}][(Source IP:%{IP:sourceIp})]",
"%{DATESTAMP:time} (::slight_smile: [%{DATA:req}(:)][(RQID:)%{DATA:rqId}][(STV:)%{DATA:stv}][(S:)%{DATA:s}][(RQC:)%{DATA:rqc}][(UsInf.)%{DATA:UsInf},(UName:)%{DATA:UName},(Cat:)%{DATA:Cat},(UStatus:)%{DATA:UStatus}] [(DSMS:)%{DATA:dsms}][(TEMPTID:)%{DATA:temptid}][(UDH:)%{DATA:udh}][(ST:)%{DATA:st}][(SRVPRT:)%{DATA:srvprt}][(OINFO:)%{DATA:oinfo}(,MsgReq=)%{DATA:msgreq}(,FT=)%{DATA:ft} (ResTyp=)%{DATA:restyp}][(RETMSG:)%{DATA:retmsg}][%{DATA:fixedInfNtAvail}][(TT:)%{NUMBER:tt:int} %{DATA:timeunit}][(Source IP:%{IP:sourceIp})]",
#reqin grok:
"%{DATESTAMP:time} (::slight_smile: [%{DATA:req}][(RQID:)%{DATA:rqId}][(S:)%{DATA:S}][(MD:)%{DATA:MD}][(DSMS:)%{DATA:DSMS}][(SMSISDN:)%{DATA:SMSISDN}][(REQMSG:)%{DATA:REQMSG}][(ST:)%{DATA:ST}][(SERPRT:)%{DATA:SERPRT}][(OINFO:)%{DATA:oinfo}(,MsgReq=)%{DATA:msgreq}(,FT=)%{DATA:ft}(ResTyp=)%{DATA:RResTyp}][(Source IP:%{IP:sourceIp})]",
#login grok:
"%{DATESTAMP:time} (::slight_smile: [(Login ID:)%{DATA:LoginID}] [(User ID:)%{DATA:UserID}] [(Network ID:)%{DATA:NetworkID}] [(User Name:)%{DATA:UserName}] [(User Type:)%{DATA:UserType}] [(Domain ID:)%{DATA:DomainID}] [(Category Code:)%{DATA:CategoryCode}] [(Log Type:)%{DATA:LogType}] [(Login Time:)%{DATA:LoginTime}] [(Logout Time:)%{DATA:LogoutTime}] [(IP Address:)%{IP:IPAddress}] [(Browser Type:)%{DATA:BrowserType}] [(Other Information:)%{DATA:OtherInformation}]",
#dailylog grok:
"%{DATA:INFO} (::slight_smile: [(IID:)%{DATA:IID}][(RNW:)%{DATA:RNW}][(RQRVT:)%{DATA:RQRVT}][(RQLGT:)%{DATA:RNW}][(RQID:)%{DATA:RQID}][(STV:)%{DATA:STV}][(RQST:)%{DATA:RQST}][(RQS:)%{DATA:RQS}][(RQEST:)%{DATA:RQEST}][(SUID:)%{DATA:SUID}][(SUN:)%{DATA:SUN}][(SC:)%{DATA:SC}][(SM:)%{DATA:SM}][(SNW:)%{DATA:SNW}][(TID:)%{DATA:TID}][(TS:)%{DATA:TS}][(E:)%{DATA:E}][(RM:)%{DATA:RM}][(AMT:)%{NUMBER:AMT:int}][(SST:)%{DATA:SST}][(RID:)%{DATA:RID}][(VAL:)%{NUMBER:VAL:int}][(TOP:)%{NUMBER:TOP:int}][(RTT:)%{NUMBER:RTT:int}][(PPT:)%{NUMBER:PPT:int}][(INVALURL:)%{DATA:INVALURL}][(INVALRESP:)%{DATA:INVALRESP}][(INRURL:)%{DATA:INRURL}][(INRRESP:)%{DATA:INRRESP}]"
]
}
}
json {
source => "message"
}
json {
source => "message"
remove_field => ["message"]
}

}

output{
stdout { codec => rubydebug }

}

2

Welcome to our community! :smiley:

Please don't post an unformatted config file without any other information, there's nothing here that tells us what's wrong with what you have and it makes it impossible to help further.

3

This is output......
"_source" : {
"message" : "\r\nActive Connections\r\n\r\n Proto Local Address Foreign Address State\r\n TCP 127.0.0.1:9200 MCGL-7805:61940 ESTABLISHED\r\n TCP 127.0.0.1:9200 MCGL-7805:61941 ESTABLISHED\r\n TCP 127.0.0.1:9200 MCGL-7805:61942 ESTABLISHED\r\n TCP 127.0.0.1:9200 MCGL-7805:61943 ESTABLISHED\r\n TCP 127.0.0.1:49672 MCGL-7805:55552 ESTABLISHED\r\n TCP 127.0.0.1:52142 MCGL-7805:55552 ESTABLISHED\r\n TCP 127.0.0.1:52251 MCGL-7805:52252 ESTABLISHED\r\n TCP 127.0.0.1:52252 MCGL-7805:52251 ESTABLISHED\r\n TCP 127.0.0.1:52253 MCGL-7805:52254 ESTABLISHED\r\n TCP 127.0.0.1:52254 MCGL-7805:52253 ESTABLISHED\r\n TCP 127.0.0.1:52255 MCGL-7805:52256 ESTABLISHED\r\n TCP 127.0.0.1:52256 MCGL-7805:52255 ESTABLISHED\r\n TCP 127.0.0.1:52257 MCGL-7805:52258

4

This is messy, pls use the lovely icon </>
Why are using twice json plugin on "message".?
For output is better to use rubydebug.

output{
    stdout {
        codec => rubydebug{}
    }
}
5

i also tried it's not working

6

You want to get nestat and have it in ES, by using LS.
It's possible. Can you show which columns return netstat without LS? Print screen is also OK.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.