Hi,
I have ELK 7.5.0 setup on one node with a few other systems running auditbeat and filebeat. I have SSL setup for communication between the beat and logstash. I have filebeat specified to look at /var/log/messages. Only the Time, "host.hostname" and message columns are populated in the [Filebeat System} ECS dashboard. The "message" column is populated with the full message as it is in syslog. I don't know what did I miss.
All syslog from clients are set to RFC5242 (syslog uses $ActionFileDefaultTemplate RSYSLOG_FileFormat)
I tried, the followings, but I can't seem to get the process name working. I think because of this, I don't get any data populated for Sudo and SSH logins also.
if [event.dataset] == "system.syslog"
if [type] == "syslog"
logstash/conf.d/logstash.conf is set as below.
Blockquote
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["/etc/logstash/ssl/ca.crt"]
ssl_certificate => "/etc/logstash/ssl/xxxxxx.crt"
ssl_key => "/etc/logstash/ssl/xxxxxx.key"
ssl_verify_mode => "peer"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}"}
}
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}