Logstash don't read lines from imput file SAMBA

joansa · April 13, 2019, 4:45pm

Hi.

I've a IDS Suricata ina a raspberry-pi, and I install logstash, elasticsearch and kibana in
my Windows PC.

My idea is show from a SAMBA directory the suricata eve.json log to logstash.
So, When I run it, logstash dont receive lines.

I probe the seem logstash.conf with a stdin and when i copy a line, logstash get it.

input {
stdin {
codec => json
type => "SuricataIDPS"
}
}

but if I change the input from a file dont get data.
Note: The S: es the map SAMBA unit in my Windows PC

input {
file {
path => "S:\eve.json"
codec => json
type => "SuricataIDPS"
}
}

I prove charge with a local copy file, but dont get data.

input {
file {
path => "C:\ELK\eve.json"
codec => json
type => "SuricataIDPS"
sincedb_path => "NUL"
start_position => "beginning"
}
}

I dont understant. I learning ELK ...
Perhaps I dont must use the file input with a samba map ...
Perhaps I need install filebeat in the raspberry-pi...

Could Anyone help me with any idea?

Thanks

Badger · April 13, 2019, 5:14pm

Use /, not \, for Windows paths in a file input.

joansa · April 15, 2019, 10:47am

Thanks.
Now, I use / and I have done a test.

I detect that:

The file loads in read mode from the beginning (including from a SAMBA network unit) , but
if I load in mode TAIL, no load data...

I think if the problem is the end-line char.
Then I use "delimiter", "\r\n" defaults to "\n" perhaps if Windows logstash not detect the change of line in mode TAIL... but dont work either.

Any idea? I m blocked..

system · May 13, 2019, 10:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.