Logstash config file for elasticsearch query monitoring

Elastic Stack Logstash
1

I am trying to use packetbeat and logstash to monitor search queries on elasticsearch by following this article: https://www.elastic.co/blog/monitoring-the-search-queries

I am using the config file thats provided in the article. However, it seems that logstash is sending data into elasticsearch even when I did not do any query search.

Here is an example: { "_index": "logstash-2018.08.22", "_type": "http", "_id": "AWVjj0aSQ0pSImdlZby1", "_score": 1, "_source": { "server": "-MacBook-Pro.local", "request": "POST /.kibana/index-pattern/_search?fields= HTTP/1.1\r\naccept: application/json, text/plain, */*\r\nuser-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36\r\ncontent-length: 39\r\nreferer: http://localhost:5601/app/kibana\r\nx-forwarded-for: 127.0.0.1\r\ncontent-type: application/json;charset=UTF-8\r\naccept-encoding: gzip, deflate, br\r\nx-forwarded-port: 60799\r\norigin: http://localhost:5601\r\naccept-language: en-US,en;q=0.9\r\nkbn-version: 4.4.0\r\nx-forwarded-proto: http\r\nconnection: keep-alive\r\nHost: localhost:9200\r\n\r\n{\"query\":{\"match_all\":{}},\"size\":10000}", "proc": "", "method": "POST", "bytes_in": 626, "ip": "127.0.0.1", "query": "POST /.kibana/index-pattern/_search", "type": "http", "client_proc": "", "tags": [ "beats_input_raw_event" ], "client_server": "MacBook-Pro.local", "path": "/.kibana/index-pattern/_search", "client_port": 60806, "@timestamp": "2018-08-22T21:34:17.428Z", "bytes_out": 458, "port": 9200, "beat": { "hostname": "MacBook-Pro.local", "name": "211admins-MacBook-Pro.local", "version": "5.1.2" }, "@version": "1", "host": "MacBook-Pro.local", "http": { "request": { "headers": { "content-length": 39, "content-type": "application/json;charset=UTF-8" }, "params": "fields=", "body": "{\"query\":{\"match_all\":{}},\"size\":10000}" }, "response": { "headers": { "content-length": 371, "content-type": "application/json; charset=UTF-8" }, "code": 200, "phrase": "OK", "body": "{\"took\":1,\"timed_out\":false,\"_shards\":{\"total\":1,\"successful\":1,\"failed\":0},\"hits\":{\"total\":3,\"max_score\":1.0,\"hits\":[{\"_index\":\".kibana\",\"_type\":\"index-pattern\",\"_id\":\"resource-*\",\"_score\":1.0},{\"_index\":\".kibana\",\"_type\":\"index-pattern\",\"_id\":\"testing-service-20180821161600\",\"_score\":1.0},{\"_index\":\".kibana\",\"_type\":\"index-pattern\",\"_id\":\"logstash-*\",\"_score\":1.0}]}}" } }, "responsetime": 1, "client_ip": "127.0.0.1", "status": "OK" }, "fields": { "@timestamp": [ 1534973657428 ] } }

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.