Hello elastic-team,
There is something odd with my Logstash when I am using logstash-codec-nmap.
What I mean:
- According to blog https://www.elastic.co/blog/using-nmap-logstash-to-gain-insight-into-your-network, I configured my Logstash to parse nmap-data in xml files.
- All input xml files are in /home/elastic directory with full permission for user=elastic, from whom I start Logstash.
- Both config-files (simple, without filter{} ):
input {
file {
path => "/home/elastic/*.xml"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => nmap
}
}
output {
elasticsearch {hosts => ["10.132.0.6:9200"]}
stdout {codec => rubydebug}
}
and (more complex + filter{}, is available via link https://drive.google.com/open?id=0BxPCBwFCZ9StUFN6NDZtdFItblE) with Elasticsearch mapping give the same result ->
[INFO ][logstash.codecs.nmap] Using version 0.1.x codec plugin 'nmap'. This plugin isn't well supported by the community and likely has no maintainer.
For start pipeline, I used:
in case simple conf-file: $sudo bin/logstash -f simple-file.conf --log.level=debug --path.settings=/etc/logstash
in case complex conf-file: $sudo bin/logstash -f complex-file.conf --log.level=debug --path.settings=/etc/logstash
All conf-files and json-template are in directory /usr/share/logstash, from which I start these commands too.
I don't see nmap-logs in Kibana. For other log-types everything is okay (samba, psad for example).
Logstahs-log file with log.level=debug and nmap-xml file are available via link https://drive.google.com/open?id=0BxPCBwFCZ9StUFN6NDZtdFItblE.
ODD thing:
also I visited https://github.com/logstash-plugins/logstash-codec-nmap/releases and at first remove plugin logstash-codec-nmap from Logstash ant than install it with command:
$sudo bin/logstash-plugin install --version=0.0.18 logstash-codec-nmap
ressult was success installed nmap-codec, but nothing was changed and I have the same ->
[INFO ][logstash.codecs.nmap] Using version 0.1.x codec plugin 'nmap'. This plugin isn't well supported by the community and likely has no maintainer.
Logstash machine:
$ sudo bin/logstash --version
logstash 5.4.0
Elasticsearch machine:
$ sudo bin/elasticsearch --version
Version: 5.4.0, Build: 780f8c4/2017-04-28T17:43:27.229Z, JVM: 1.8.0_131
Kibana machine:
$ sudo bin/kibana --version
5.4.0
Please, help me to understand how can I fix nmap parsing.