Logstash indices mixup in Kibana

Vivek_Samaga · April 6, 2017, 11:40am

Am using filebeat to get logs from remote app server and Logstash jdbc plugin to get logs from DB server but at Kibana when the log is flowing the indices are mixing up i,e logs from app server is showing in DB index and vice-versa.
Any suggestions on how to avoid this.

magnusbaeck · April 6, 2017, 11:48am

What's in your Logstash configuration file(s)?

Vivek_Samaga · April 6, 2017, 11:55am

input {
beats {
port => 5044
}
}

filter {
if "access_logs" in [tags] {
grok {
match => {
"message" => [
"%{IPORHOST:x_forwarded_for} %{IPORHOST:load_balancer} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb}%{SPACE}
/%{WORD:application}}%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
(?:%{WORD:ServerHost}:%{WORD:ServerPort})",
"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} /%{WORD:application}%{NOTSPACE:request}(?:
HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:%{WORD:ServerHost}:%{WORD:ServerPort})",
"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} /%{WORD:application}%{NOTSPACE:request}(?:
HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"
]
}
}
}
if "BPM" in [tags] {
grok {
match => {
"message" => [
"%{SYSLOG5424SD}%{SPACE}%{BASE16NUM:ThreadID}%{SPACE}%{WORD:ShortName}%{SPACE}%{WORD:EventType}%{SPACE}%{WORD:MessageIdentifier}:%{SPACE}%{GREEDYDATA:event}",
"%{SYSLOG5424SD}%{SPACE}%{WORD:ThreadID}%{SPACE}%{WORD:Logger}%{SPACE}%{WORD:MessageType}%{SPACE}%{GREEDYDATA:event}"
]
}
}
}
if "syslog" in [type][tags] {
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?:
%{GREEDYDATA:syslog_message}"
]
}
}
}
}

if[tags] == "access_log"
{
output {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
}
else if [tags] == "BPM"
{
output {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
}
else [tags] == "syslog"
{
output {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "logstash-%{+YYYY.MM.dd}"
}
}
}

magnusbaeck · April 6, 2017, 12:01pm

You're complaining about events being mixed up but you're sending all events to "logstash-%{+YYYY.MM.dd}" so I'm confused over what the problem is. All your elasticsearch outputs are identical.

if "syslog" in [type][tags] {

This doesn't make sense. The type field doesn't have any subfields.

if[tags] == "access_log"

The tags field is an array and not a string so I wouldn't expect this to ever be true. I suggest you use if "access_log" in [tags] instead.

else [tags] == "syslog"

Use plain else or else if "syslog" in [tags].

Vivek_Samaga · April 6, 2017, 1:55pm

Am a newbie to ELK and i didn't understand the output part do i need to change else [tags] == "syslog" to else if "syslog" in [tags] ??

magnusbaeck · April 6, 2017, 1:56pm

Yes.

Vivek_Samaga · April 6, 2017, 2:09pm

so i have made the changes as said
now when i do configtest for logstash am getting below error
Expected one of #, input, filter, output at line 155, column 1 (byte 5330) after {:level=>:error}

input {
beats {
port => 5044
}
}

filter {
if "access_logs" in [tags] {
grok {
match => {
"message" => [
"%{IPORHOST:x_forwarded_for} %{IPORHOST:load_balancer} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb}%{SPACE}
/%{WORD:application}}%{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)
(?:%{WORD:ServerHost}:%{WORD:ServerPort})",
"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} /%{WORD:application}%{NOTSPACE:request}(?:
HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) (?:%{WORD:ServerHost}:%{WORD:ServerPort})",
"%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "(?:%{WORD:verb} /%{WORD:application}%{NOTSPACE:request}(?:
HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)"
]
}
}
}
if "BPM" in [tags] {
grok {
match => {
"message" => [
"%{SYSLOG5424SD}%{SPACE}%{BASE16NUM:ThreadID}%{SPACE}%{WORD:ShortName}%{SPACE}%{WORD:EventType}%{SPACE}%{WORD:MessageIdentifier}:%{SPACE}%{GREEDYDATA:event}",
"%{SYSLOG5424SD}%{SPACE}%{WORD:ThreadID}%{SPACE}%{WORD:Logger}%{SPACE}%{WORD:MessageType}%{SPACE}%{GREEDYDATA:event}"
]
}
}
}
if "syslog" in [tags] {
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?:
%{GREEDYDATA:syslog_message}"
]
}
}
}
}

if[tags] == "access_log"
{
output {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "access-%{+YYYY.MM.dd}"
}
}
}
else [tags] == "BPM"
{
output {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "bpm-%{+YYYY.MM.dd}"
}
}
}
else if "syslog" in [tags]
{
output {
elasticsearch {
hosts => ["10.190.188.174:9200"]
index => "sys-%{+YYYY.MM.dd}"
}
}
}

magnusbaeck · April 6, 2017, 2:47pm

else [tags] == "BPM"

Why did you drop the "if" from here? The only things allowed after else is { or if.

It would be much much easier to debug your configuration if it was indented properly and posted as preformatted text. Right now one has to count braces and that's both boring and prone to mistakes.

Vivek_Samaga · April 12, 2017, 10:23am

So i have re-written all the grok filter and formatted with indentation still am facing the
Error: Expected one of #, {, } at line 13, column 85 (byte 185) after filter {

All the grok filters are fine i have debugged it from https://grokdebug.herokuapp.com/

 input {
      beats {
    port => 5044
    		}
    	}


filter {
		if "access_logs" in [tags] 
		{
		grok {
			match => {
					    "message" => "%{IPORHOST:x_forwarded_for} - - \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request} HTTP/%{NUMBER:httpversion})" %{NUMBER:response}"
					}
			}
		}
	    if "BPM" in [tags] 
		{
		grok {
			match => {
						"message" => "%{SYSLOG5424SD:BPM_timestamp} %{BASE16NUM:ThreadID} %{WORD:EventType} %{WORD:ShortName}   %{WORD:MessageIdentifier}:%{SPACE}%{GREEDYDATA:event}"
					}
			}
		}
	    if "syslog" in [tags]
		{
		grok {
			match => {
						"message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program} (?:\[%{POSINT:syslog_pid}\])?%{GREEDYDATA:syslog_message}"
					}
			}
		}
	}


if [tags] == "access_log"
{
	output {
	elasticsearch { 
					hosts => ["10.190.188.174:9200"]
					index => "access-%{+YYYY.MM.dd}"
				}
			}
	}
else if [tags] == "BPM"
{
	output {
	elasticsearch { 
					hosts => ["10.190.188.174:9200"]
					index => "bpm-%{+YYYY.MM.dd}"
				}
		}
}

magnusbaeck · April 12, 2017, 11:15am

If think your output section needs to look like this:

output {
  if ... {
    elasticsearch {
      ...
    }
  } else if ... {
    ..
  }
}

Vivek_Samaga · April 12, 2017, 11:25am

awesome finally this works, thanks for your valuable quick replies

Vivek_Samaga · April 12, 2017, 1:25pm

Config test is ok but now the indices are not creating in elasticsearch.

system · May 10, 2017, 1:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.