Hi,
I am kind of new to the elasticsearch family so thought I would try to create some use cases.
One of those is to upload system information into logstash from json documents gathered by ansible . Ansible then reads these documents and makes a put request with the json document to my http input in logstash.
I have gotten to the point where I am sending the system details into logstash. Logstash 'seems' to be receiving the data but the Json is now embedded in the message field...at first when I checked the content type and this was not set to content-type application/json so I have made sure that I have gotten to the point where i can see that it is set to that. Yet the problem still remains.
here is the document:
@timestamp
Nov 17, 2020 @ 21:11:49.507
@version
1
_id
Zm1C1XUBQqSOeyeSi2fv
_index
system-inventory-[version]}-2020.11.17
_score
-
_type
_doc
headers.accept_encoding
identity
headers.connection
close
headers.content_length
3726
headers.content_type
application/json
headers.http_accept
-
headers.http_host
192.168.1.105:6000
headers.http_user_agent
ansible-httpget
headers.http_version
HTTP/1.1
headers.request_method
PUT
headers.request_path
/
host
10.42.2.0
message
��{
"computername": "W0001",
"Patchesneeded": {
},
"osversion": "Microsoft Windows Server 2016 Standard",
"software": [
{
"DisplayName": "7-Zip 18.05 (x64)",
"DisplayVersion": "18.05"
},
{
"DisplayName": "Git version 2.19.1",
"DisplayVersion": "2.19.1"
},
{
"DisplayName": "VMware Tools",
"DisplayVersion": "10.2.1.8267844"
},
{
"DisplayName": "Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161",
"DisplayVersion": "9.0.30729.6161"
},
{
"DisplayName": "Microsoft Silverlight",
"DisplayVersion": "5.1.50918.0"
},
{
"DisplayName": "Check_MK Agent 1.2.4p5",
"DisplayVersion": "1.2.4p5"
},
{
"DisplayName": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148",
"DisplayVersion": "9.0.30729.4148"
},
{
"DisplayName": "Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161",
"DisplayVersion": "9.0.30729.6161"
},
{
"DisplayName": "Check_MK Agent",
"DisplayVersion": "1.2.8.1517"
}
]
}
tags
_jsonparsefailure
and here is the my logstash.conf:
input {
http {
port => 6000 # default: 8080
codec => json
}
}
filter {
json {
source => "message"
}
}
output {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "system-inventory-[version]}-%{+YYYY.MM.dd}"
}
stdout {
codec => rubydebug
}
}
I am very new to elk and I would love to learn how to use it. Any help would be appreciated.
Many thanks for any guidance or help that people can provide