Logstash Authentication doesn't work after x-tools install

Frank_Trezza · November 18, 2016, 9:05pm

I installed X-tools and my logstash.conf file no longer was able to connect, getting 401 errors. I followed the steps outlined in https://www.elastic.co/guide/en/x-pack/current/logstash.html and created the users and configured permissions, however when editing my logstash.conf file to include the user and login as it shows, It can not parse the file after adding in the lines like so

input {
...
user => logstash_internal
password => changeme
}
filter {
...
user => logstash_internal
password => changeme
}
output {
elasticsearch {
...
user => logstash_internal
password => changeme
}

after adding these entries in the appropriate places in the .conf file it it is views it as an invalid config and is unable to work. Please assist.

my current file is below with only one of the entries added, I removed the other 2 for debugging .

#logstash.conf

input {

udp {
type => sonicwall
codec => plain {
charset => "ISO-8859-1"
}
port => 514
}
user => "logstash_internal"
password => "changeme"
}
}

filter {

if [type] == "sonicwall" {

kv {
    exclude_keys => [ "<129>id", "<132>id", "<133>id","<134>id", "af_polid", "af_service", "app", "appid", "code", "fw", "m", "op", "sn" ]
}

date {
    match => [ "time", "yyyy-MM-dd HH:mm:ss z", "yyyy-MM-dd HH:mm:ss" ]
}

if [src] {
    grok {
        match => { 
            "src" => [
                "%{IP:srcip}:%{INT:srcport}:%{DATA:srcint}:%{GREEDYDATA:srcname}",
                "%{IP:srcip}:%{INT:srcport}:%{DATA:srcint}",
                "%{IP:srcip}::%{DATA:srcint}",
                ":%{INT:srcport}"
            ]  
        }
    }
}

if [dst] {
    grok {
        match => { 
            "dst" => [ 
                "%{IP:dstip}:%{INT:dstport}:%{DATA:dstint}:%{GREEDYDATA:dstinfo}",
                "%{IP:dstip}:%{INT:dstport}:%{DATA:dstint}",
                "%{IP:dstip}::%{DATA:dstint}",
                ":%{INT:dstport}"
            ]
        }
    }
}

# Sanitize fields with \r after recent firmware update
mutate {
    gsub => [
        "sent", "\r", "",
        "rcvd", "\r", "",
        "cdur", "\r", "",
        "spkt", "\r", "",
        "rpkt", "\r", "",
        "proto", "\r", ""
    ]
}

# Assign network tags based on IP
if [dstip] {
    cidr {
        add_tag => ["dstip-private"]
        address => ["%{dstip}"]
        network => ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
    }                
    
    # Parse GeoIP info
    if "dstip-private" not in [tags] {
        geoip {
            source => "dstip"
            target => "dstip_geoip"
            fields => ["country_name", "region_name", "city_name", "location"]
               }
    }
}

# Replace srcname with srcip if srcname does not exist
if ![srcname] and [srcip] {
    mutate {
        replace => { "srcname" => "%{srcip}" }
    }
}	

# Replace dstname with dstinfo or dstip if dstname does not exist
if ![dstname] and [dstinfo] {
    mutate {
        replace => { "dstname" => "%{dstinfo}" }
    }
} else if ![dstname] and [dstip] {
    mutate {
        replace => { "dstname" => "%{dstip}" }
    }
}	

mutate {
    lowercase => [ "msg", "appName", "sess", "fw_action", "srcint", "dstint", "Category"]
    remove_field => [ "src", "dst", "dstinfo", "message", "time" ]
    
}

}

output

{
elasticsearch { hosts => ["localhost:9201"]
}
#stdout { codec => rubydebug }
}

warkolm · November 19, 2016, 8:58am

Providing the entire error will be helpful.

system · December 17, 2016, 8:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.