Index Patterns: Please specify a default index pattern

i'm using ELK on my virtual machine centos 7 using vSphere client
i have some logs to visualise /var/log/secure
i've connected my kibana via inginx and its working fine !
i've set this configuration for /etc/logstash/conf.d/sshd.conf
input {
file {
type => "secure_log"
path => "/var/log/secure"
filter {
include "pattern.txt"
grok {
add_tag => [ "sshd_fail" ]
match => { "message" => "Failed %{WORD:sshd_auth_type} for %{USERNAME:sshd_invalid_user} from %{IP:sshd_client_ip} port %{NUMBER:sshd_port} %{GREEDYDATA:sshd_protocol}" }

output {
elasticsearch {
index => "sshd_fail-%{+YYYY.MM}"

and i made a file .txt called pattern where i entred the pattern for my logs

%{SYSLOGTIMESTAMP:system.auth.timestamp} %{SYSLOGHOST:system.auth.hostname} sshd(?:\[%{}\])?: %{DATA:system.auth.ssh.event} %{DATA:system.auth.ssh.method} for (invalid user )?%{DATA:system.auth.user} from %{IPORHOST:system.auth.ip} port %{NUMBER:system.auth.port} ssh2(: %{GREEDYDATA:system.auth.ssh.signature})?

and i still have nthg

1 Like

I have the same problem please

You should create an index pattern for sshd_fail-*, as this is the index Logstash is pushing the events to.

1 Like

can you explain how to do that please ?

In the screenshot you shared (which tells you how to configure index patterns), replace logstash-* with sshd_fail-* in the text field.
That would then match any index in Elasticsearch beginning with sshd_fail-.

1 Like

same problem :frowning:

Have you got any data indexed at all into Elasticsearch (use the cat indices API to find out)? If not, have a look at how synced_path and start_position parameters are used with the file input plugin in this tutorial.

Does your Logstash start correctly? Because this configuration

seems wrong to me, include is not a directive.

(Also, you should rework your grok configuration, the patterns.txt isn't the place for the complete pattern to match a log line, but for individuals patterns used in the match parameter)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.