Hi guys,
I'm configured ELK stack.
ElasticSearch in ubuntu server 18.04
Kibana in docker
Logstash in docker
FileBeat in web-server (IIS)
Logstash don't adding data in elasticsearch. If i'm install logstash on windows it working. (logstash.conf same) logstash.yaml is default.
Logstash container is see elasticsearch
Docker run:
docker run --rm -p 5000:5000 -p 5000:5000/udp -p 5044:5044 -p 9600:9600 -v /opt/logstash/config/logstash.conf:/config/logstash.conf -v /opt/logstash/config/logstash.yml:/usr/share/logstash/config/logstash.yml --name logstash logstash:7.0.1
Logstash.config:
input {
beats {
port => 5044
client_inactivity_timeout => 200
#ssl => true
#ssl_certificate => "C:\Temp\cert\logstash-forwarder.crt"
#ssl_key => "C:\Temp\cert\logstash-forwarder.key"
}
}
filter {
if [fields][log_type] == "iis" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:ts} %{IPORHOST:client} %{WORD:method} %{URIPATHPARAM:request_path} %{GREEDYDATA:uri_param} %{NUMBER:port:int} %{GREEDYDATA:user} %{IPORHOST:user_ip} %{GREEDYDATA:user_agent} %{GREEDYDATA:referer} %{NUMBER:response_status:int} %{NUMBER:substatus:int} %{NUMBER:win32_status:int} %{NUMBER:ellapsed_milliseconds:int}" }
}
date {
match => ["ts", "yyyy-MM-dd HH:mm:ss"]
target => "event_ts"
}
geoip {
source => "user_ip"
}
}
if [fields][log_type] == "httperr" {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:ts} %{IPORHOST:c_ip} %{NUMBER:c_port:int} %{IPORHOST:s_ip} %{NUMBER:s_port:int} %{GREEDYDATA:cs_version} %{GREEDYDATA:cs_method} %{GREEDYDATA:cs_uri} %{GREEDYDATA:sc_status} %{GREEDYDATA:siteid} %{GREEDYDATA:reason} %{GREEDYDATA:queuename}" }
}
date {
match => ["ts", "yyyy-MM-dd HH:mm:ss"]
target => "event_ts"
}
geoip {
source => "c_ip"
}
}
}
output {
elasticsearch {
hosts => ["192.168.1.16:9200"]
index => "iis-%{[fields][log_type]}-%{+YYYY.MM.ww}"
}
}
Input logstash container log:
{
"@version" => "1",
"tags" => [
[0] "beats_input_codec_plain_applied"
],
"source" => "C:\Windows\System32\LogFiles\HTTPERR\httperr1.log",
"beat" => {
"name" => "v-titov",
"hostname" => "v-titov",
"version" => "6.2.1"
},
"message" => "2019-05-22 08:10:53 192.168.1.149 48906 192.168.1.72 5357 - - - - - - Timer_ConnectionIdle -",
"fields" => {
"server" => "mm",
"log_type" => "httperr"
},
"@timestamp" => 2019-05-22T08:12:03.207Z,
"prospector" => {
"type" => "log"
},
"offset" => 1818
}