First I have to mention that this is my first ELK experience.
I setup ELK 7.04 on Ubuntu 18.04.3 LTS and trying to ingest my gateway/firewall logs into logstash. filebeat is also setup on the box. I see the traffic logs are coming through on udp 514 and also see it when looking at my index in Kibana.
I have couple of issues:
1- even though I have my config file under config.d "/etc/logstash/conf.d/fw.conf" logstash does not call it when the service starts. I have to run it using "sudo /usr/share/logstash/bin/logstash -f /etc/logstash/conf.d/fw.conf" command.
2- I cannot find the correct grok filter to break down the individual fields from the "message" field. I had done this in graylog with no issue, but cannot find the right format for logstash.
-the following are couple of events from the actual logs:
In logstash.yml file path.config does not have any entry. I thought the default path would be "/etc/logstash/conf.d/". should I add that path to the path.config section? any other modification required?
Regarding the other issue, I discovered that the logstatsh service is not showing up under services. even though I ran
$systemctl start logstash.service
after installation. The only service that starts automatically is elasticsearch. filebeat is also not running on start.
Regarding the logs, if you are referring to logstash-plain.log...this is what it looks like after restarting the service:
[2019-10-20T22:32:58,642][INFO ][logstash.javapipeline ][main] Pipeline started {"pipeline.id"=>"main"}
[2019-10-20T22:32:58,674][INFO ][logstash.inputs.syslog ][main] Starting syslog tcp listener {:address=>"0.0.0.0:1514"}
[2019-10-20T22:32:58,688][INFO ][logstash.inputs.syslog ][main] Starting syslog udp listener {:address=>"0.0.0.0:1514"}
[2019-10-20T22:32:58,706][INFO ][logstash.inputs.udp ][main] Starting UDP listener {:address=>"0.0.0.0:514"}
[2019-10-20T22:32:58,716][INFO ][logstash.agent ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>}
[2019-10-20T22:32:58,747][ERROR][logstash.inputs.udp ][main] UDP listener died {:exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:213:in bind'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-udp-3.3.4/lib/logstash/inputs/udp.rb:116:inudp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-udp-3.3.4/lib/logstash/inputs/udp.rb:68:in run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:314:ininputworker'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:306:in block in start_input'"]} [2019-10-20T22:32:58,873][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600} [2019-10-20T22:33:03,755][INFO ][logstash.inputs.udp ][main] Starting UDP listener {:address=>"0.0.0.0:514"} [2019-10-20T22:33:03,757][ERROR][logstash.inputs.udp ][main] UDP listener died {:exception=>#<Errno::EACCES: Permission denied - bind(2) for "0.0.0.0" port 514>, :backtrace=>["org/jruby/ext/socket/RubyUDPSocket.java:213:inbind'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-udp-3.3.4/lib/logstash/inputs/udp.rb:116:in udp_listener'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-input-udp-3.3.4/lib/logstash/inputs/udp.rb:68:inrun'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:314:in inputworker'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:306:inblock in start_input'"]} <
which makes me believe that this might be related to permission issue with listener on standard ports.
Does the permission issue on the standard port cause the service not to start, or it's unrelated?
and what is the solution to that?
Also, unrelated to the service, what is the best solution to gather IP geo location for destination addresses?
With systemctl a service can be enabled but that does not imply it starts automatically. Read the systemctl man page for details.
As the documentation says, you may need a conditional to check that the message has an appropriate format before trying to dissect with a given pattern.
The permission error suggest logstash is not running as root, which would be needed if 514 is a privileged port on your version of UNIX. I would not expect that to prevent logstash starting.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.