Kibana unable to parse syslog logs

Elastic Stack Kibana
1

I have a text file which contains data in the below format (syslog).

Oct  9 2019 23:39:37 myrtle sshd[41925]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.49.202.135  user=root
Oct  9 2019 23:39:37 myrtle sshd[41925]: Failed password for root from 221.49.202.135 port 1930 ssh2
Oct  9 2019 23:39:38 myrtle sshd[41927]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.49.202.135  user=root
Oct  9 2019 23:39:38 myrtle sshd[41927]: Failed password for root from 221.49.202.135 port 55212 ssh2
Oct 10 2019 04:28:55 myrtle sshd[41931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.150.44.62  user=root
Oct 10 2019 04:28:55 myrtle sshd[41931]: Failed password for root from 108.150.44.62 port 17735 ssh2
Oct 10 2019 04:28:56 myrtle sshd[41936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.150.44.62  user=root
Oct 10 2019 04:28:56 myrtle sshd[41936]: Failed password for root from 108.150.44.62 port 54304 ssh2
Oct 10 2019 04:28:57 myrtle sshd[41939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.150.44.62  user=root
Oct 10 2019 04:28:57 myrtle sshd[41939]: Failed password for root from 108.150.44.62 port 33925 ssh2
Oct 10 2019 04:28:58 myrtle sshd[41941]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.150.44.62  user=root

I am trying to get this parsed on Kibana by uploading a file through Kibana interface. I keep getting the error that "File structure cannot be determined". I tried these override settings:

Number of line to sample: 1000
Data Format: delimited
Delimiter: space
Quote character: not applicable
Timestamp format: MMM dd yyyy HH:mm:ss

NOTE: This worked in my older Kibana setup which was similar to this current one

Please assist.

2

What version are you on?

I just tried on 8.7.0 and it loaded without setting anything... and it picked up the data correctly and parsed out the IP and put the rest in a message field

Screenshot 2023-04-27 at 11.43.45 AM
Screenshot 2023-04-27 at 11.43.45 AM1920×1164 112 KB

3

Exactly, it worked on my previous installation of Kibana. I installed Kibana from here from RPM repository.

The Elasticsearch version is 8.7.0. Did I do something wrong this time?

4

I don't know. I literally used your log lines and they parsed and ended up in Kibana using the system module.

Those are your log lines. I just put them in the file. Pointed the system module at it.

Made sure I ran setup .... Did you run set up?

filebeat setup -e

Then ran filebeat and those are the results I posted.

I didn't make any other changes

5

I am trying to parse this using Kibana user interface though.

I even tried to parse it using the Filebeat system module. Weird thing is - I have another log file (apache log file which I am parsing using apache module) and I am able to see all the apache log files in Kibana. Its just this syslog file is not showing up in the Kibana. Both the files haves same date ranges.

I had first setup apache files, then ran filebeat setup -e
Then I updated system modules, and again ran filebeat setup -e.

6

Ohh sorry I am answering toooo many...

I loaded that through the Upload File in Kibana 8.7.0 All Defaults

As you asked ... I did not set any delimeters etc..etc..

Apache won't work those are not apache logs

There are different parsers...

What I showed above I did with the File Uploader

You are doing something basic wrong.. :slight_smile:

Did you clean out the index / delete the index and try to use Upload All Defaults New Index?

7

I too did the same. Loaded them through the Upload File in Kibana with defaults. When default settings did not parse it, then I tried to set delimiters.

Apache logs are working perfectly in Kibana. Kibana is no able to parse system logs.

8

Hmmm

Step by Step

Screenshot 2023-04-27 at 9.00.57 PM
Screenshot 2023-04-27 at 9.00.57 PM1804×982 45.5 KB

File Uploader

Screenshot 2023-04-27 at 9.01.12 PM
Screenshot 2023-04-27 at 9.01.12 PM3112×1762 408 KB

Contents of file

$ cat syslog.log
Oct  9 2019 23:39:37 myrtle sshd[41925]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.49.202.135  user=root
Oct  9 2019 23:39:37 myrtle sshd[41925]: Failed password for root from 221.49.202.135 port 1930 ssh2
Oct  9 2019 23:39:38 myrtle sshd[41927]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.49.202.135  user=root
Oct  9 2019 23:39:38 myrtle sshd[41927]: Failed password for root from 221.49.202.135 port 55212 ssh2
Oct 10 2019 04:28:55 myrtle sshd[41931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.150.44.62  user=root
Oct 10 2019 04:28:55 myrtle sshd[41931]: Failed password for root from 108.150.44.62 port 17735 ssh2
Oct 10 2019 04:28:56 myrtle sshd[41936]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.150.44.62  user=root
Oct 10 2019 04:28:56 myrtle sshd[41936]: Failed password for root from 108.150.44.62 port 54304 ssh2
Oct 10 2019 04:28:57 myrtle sshd[41939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.150.44.62  user=root
Oct 10 2019 04:28:57 myrtle sshd[41939]: Failed password for root from 108.150.44.62 port 33925 ssh2
Oct 10 2019 04:28:58 myrtle sshd[41941]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=108.150.44.62  user=root

Load the File: No Special Settings

Screenshot 2023-04-27 at 9.02.18 PM
Screenshot 2023-04-27 at 9.02.18 PM1920×1203 148 KB

Screenshot 2023-04-27 at 9.03.06 PM
Screenshot 2023-04-27 at 9.03.06 PM1544×1368 184 KB

Nothing Touched

Screenshot 2023-04-27 at 9.03.17 PM
Screenshot 2023-04-27 at 9.03.17 PM3150×1676 386 KB

Click On Discover

Screenshot 2023-04-27 at 9.04.00 PM
Screenshot 2023-04-27 at 9.04.00 PM1920×1086 142 KB

If I use the filebeat system module with syslog input it does not parse your file... it does parse my syslog on my Mac.

9

Thank you. This worked. I was earlier loading it from the interface on the 'welcome home' page and it was not working. Do you know what could be the reason?

Screenshot 2023-05-01 093150
Screenshot 2023-05-01 0931501214×661 80.4 KB

10

Assuming you mean this, it works exactly the same for me.

Screenshot 2023-05-01 at 8.51.31 AM
Screenshot 2023-05-01 at 8.51.31 AM1432×500 196 KB

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.