Good day,
Just want to know how can I control the logstash logging to /var/messages.log in Centos 7? We integrated ELK with snort and keep on receiving these kind of logs:
Jan 13 03:39:04 hostname logstash: {
Jan 13 03:39:04 hostname logstash: "Rule_SID" => 10000003,
Jan 13 03:39:04 hostname logstash: "host" => "",
Jan 13 03:39:04 hostname logstash: "path" => "/var/log/snort/alert",
Jan 13 03:39:04 hostname logstash: "time_units" => "min",
Jan 13 03:39:04 hostname logstash: "time_threshold" => "1",
Jan 13 03:39:04 hostname logstash: "Source_Port" => 49691,
Jan 13 03:39:04 hostname logstash: "type" => "snort-alert",
Jan 13 03:39:04 hostname logstash: "hit_threshold" => "200",
Jan 13 03:39:04 hostname logstash: "Destination_Port" => 3071,
Jan 13 03:39:04 hostname logstash: "@timestamp" => 2019-01-12T19:39:03.873Z,
Jan 13 03:39:04 hostname logstash: "Rule_Revision" => 1,
Jan 13 03:39:04 hostname logstash: "tags" => [
Jan 13 03:39:04 hostname logstash: [0] "throttled"
Jan 13 03:39:04 hostname logstash: ],
Jan 13 03:39:04 hostname logstash: "Timestamp" => 2019-01-12T19:39:03.118Z,
Jan 13 03:39:04 hostname logstash: "Rule_GID" => 1,
Jan 13 03:39:04 hostname logstash: "Destination_IP" => "",
Jan 13 03:39:04 hostname logstash: "Alert" => "UDP Test",
Jan 13 03:39:04 hostname logstash: "Priority" => 0,
Jan 13 03:39:04 hostname logstash: "Source_IP" => "172.24.3.206",
Jan 13 03:39:04 hostname logstash: "@version" => "1",
Jan 13 03:39:04 hostname logstash: "Protocol" => "UDP",
Jan 13 03:39:04 hostname logstash: "message" => "01/13/19-03:39:03.118563 [] [1:10000003:1] UDP Test [] [Priority: 0] {UDP} "
Jan 13 03:39:04 logstash: }
ELK + Snort is also integrated with log server so it's kinda noisy. Please help, Thanks a lot!