Logstash from winlogbeat to file not sorting results properly

saif3r · November 25, 2019, 12:56pm

Hello,

I'm extracting information from my winlogbeat index and sorting them by @timestamp. Unfortunately it seems like output file results are not properly sorted by that field. Any idea why?
Note: I've run the pipeline once, using --pipeline.workers=1

Input:

input {
	elasticsearch {
		hosts => ["localhost:9200"]
		index => "winlogbeat*"
		query => '{
				  "query": {
					"bool": {
					  "must": [
						{
						  "terms": {
							"event.code": [
							  "4624",
							  "4634",
							  "4647"
							]
						  }
						}
					  ],
					  "filter": {
						"range": {
						  "@timestamp": {
							"gte": "now-250d"
						  }
						}
					  }
					}
				  },
				  "sort": {
					"@timestamp": {
					  "order": "asc"
					}
				  }
				}'
	}
}

Results:

2019-09-12T00:03:41.585Z|0x58322d370|account6|Logon
2019-09-12T00:04:08.763Z|0x58339d631|account_123|Logoff
2019-09-12T00:04:16.372Z|0x58322d370|account6|Logoff
2019-09-12T00:04:38.762Z|0x58364edf4|account1|Logoff
2019-09-12T00:03:58.000Z|0x58339d631|account_123|Logon
2019-09-12T00:04:10.844Z|0x5834bf2fa|account2|Logon
2019-09-12T00:04:27.114Z|0x58364edf4|account1|Logon
2019-09-12T00:04:48.382Z|0x5834bf2fa|account2|Logoff
2019-09-12T00:05:03.380Z|0x583971f91|account3|Logon
2019-09-12T00:05:41.953Z|0x583971f91|account3|Logoff

Badger · November 25, 2019, 2:45pm

If pipeline.java_execution is enabled (and it is on by default in v7) then events are re-ordered even with "--pipeline.workers 1"

saif3r · November 29, 2019, 2:33pm

Hi,

Seems like with this entry it works just fine:

  pipeline.java_execution: false

Thanks.

system · December 27, 2019, 2:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.