Logstash losing messages

M_B_I · July 12, 2018, 10:35am

Hello, everyone!

I have a lot of syslog messages. And when I trying to filter them I found that logstash losing some messages. How can I investigate why? And how can I found howq many of messages are missed ?

Christian_Dahlqvist · July 12, 2018, 10:50am

What does you config look like? Which inputs are you using?

M_B_I · July 12, 2018, 11:43am

input
{
syslog
{
port => 514
type => "syslog_Check"
}
}
filter
{
if [type] == "syslog_Check"
{
mutate {
gsub => [ "message", ".<134>1 ", "date:=", "message", "= ", " ", "message", ":"", "=", "message", ":=", "=", "message", "";", ";", "message", "; ", ";", "message", " .[", ";" ]
}
kv {field_split => ";"}
if
[message] =~ ".could not get SAs from packet." or
[message] =~ ".no proposal chosen." or
[message] =~ ".No valid SA." or
[message] =~ ".Packet is dropped because there is no valid SA." or
[message] =~ ".Phase one received notification from peer; payload malformed." or
[message] =~ ".Quick Mode failed to match proposal." or
[message] =~ ".Quick Mode Received Notification from Peer: invalid id information." or
[message] =~ ".Reject Reason: Gateway to Gateway authentication failure." or
[message] =~ ".Unknown SPI for IPsec packet." or
[message] =~ ".Virtual defragmentation error: Timeout." or
[message] =~ ".encryption failure: Failed to enforce VPN Policy (11)." or
[message] =~ ".encryption failure: no response from peer." or
[message] =~ ".encryption failure: Tunnel failure, unresolved SA (VPN Error code 01)." or
[message] =~ ".encryption failure: Unknown SPI." or
[message] =~ ".encryption failure: Wrong peer gateway for decrypted." or
[message] =~ ".failed to connect: Internal error- (CCC_E_GENERAL)." or
[message] =~ ".IKE: Aggressive Mode Failed to match proposal:." or
[message] =~ ".IKE: Main Mode cannot complete certificate chain." or
[message] =~ ".IKE: Main Mode Sent Notification to Peer: invalid certificate." or
[message] =~ ".IKE: Main Mode Sent Notification to Peer: invalid information." or
[message] =~ ".Invalid ID information." or
[message] =~ ".Invalid Peer Certificate." or
[message] =~ ".no common community for myself and peer." or
[message] =~ ".no proposal chosen." or
[message] =~ ".No valid SA." or
[message] =~ ".authentication failed." or
([user] and [action] == "Log In")
{
mutate {
rename => { "ike" => "metric"
"community" => "object_name"
"service" => "serv" }
add_field => {
"value" => 1
"service" => "CheckP"
"description" => "Syslog time = %{date}. Detected an ERROR. Obj: %{object_name}. ERROR - %{metric}"
"object_category" => "Check_syslog"
"metric_category" => "predicate" }
remove_field => ["tags", "message" ]
}
if ([object_name] == "" or [object_name] == "obj")
{mutate{
rename => {"object_name" => "to_delete_obj" }}
}
if
[action] == "Log In" and
([user] =~ ".user1" or
[user] =~ ".user2" or
[user] =~ ".user3" or
)
{
mutate {
update => {
"metric" => "CheckUserLogOn"
"object_name" => "%{user}"
"value" => 1
"service" => "CheckUser"
"description" => "There was the login attempt for user - %{user} at - %{date}. Please, provide information why VPN-connection was used."
"object_category" => "Check_user"
"metric_category" => "predicate" }
add_field =>
"object_name" => "%{user}"
"metric" => "CheckUserLogOn"
}
}
}

                    else
                    {drop{}}
					}

}
output
{
if [type] == "syslog_Check"
{
# { stdout {codec => rubydebug}}
elasticsearch
{
hosts => "localhost:9200"
index => "syslog_check-%{+YYYY.MM.dd}"
}
}
}

M_B_I · July 12, 2018, 11:56am

Hey, Christian it seems like that I found why it doesn't work, but when I get my expresion in brackets

like this
if (expresion )
{
if (expresion )
}
else
{drop {}}
it's look like it's work...

M_B_I · July 12, 2018, 1:33pm

No, it's still losses some logs. Maybe my filter is too big for logstash?

Christian_Dahlqvist · July 12, 2018, 1:35pm

Are you sending your data over TCP or UDP? If you are using UDP, have you verified that all data is actually reaching Logstash?

Christian_Dahlqvist · July 12, 2018, 1:38pm

M_B_I:

if
[message] =~ ". could not get SAs from packet. " or
[message] =~ ". no proposal chosen. " or
[message] =~ ". No valid SA. " or
[message] =~ ". Packet is dropped because there is no valid SA. " or
[message] =~ ". Phase one received notification from peer; payload malformed. " or
[message] =~ ". Quick Mode failed to match proposal. " or
[message] =~ ". Quick Mode Received Notification from Peer: invalid id information. " or
[message] =~ ". Reject Reason: Gateway to Gateway authentication failure. " or
[message] =~ ". Unknown SPI for IPsec packet. " or
[message] =~ ". Virtual defragmentation error: Timeout. " or
[message] =~ ". encryption failure: Failed to enforce VPN Policy (11). " or
[message] =~ ". encryption failure: no response from peer. " or
[message] =~ ". encryption failure: Tunnel failure, unresolved SA (VPN Error code 01). " or
[message] =~ ". encryption failure: Unknown SPI. " or
[message] =~ ". encryption failure: Wrong peer gateway for decrypted. " or
[message] =~ ". failed to connect: Internal error- (CCC_E_GENERAL). " or
[message] =~ ". IKE: Aggressive Mode Failed to match proposal:. " or
[message] =~ ". IKE: Main Mode cannot complete certificate chain. " or
[message] =~ ". IKE: Main Mode Sent Notification to Peer: invalid certificate. " or
[message] =~ ". IKE: Main Mode Sent Notification to Peer: invalid information. " or
[message] =~ ". Invalid ID information. " or
[message] =~ ". Invalid Peer Certificate. " or
[message] =~ ". no common community for myself and peer. " or
[message] =~ ". no proposal chosen. " or
[message] =~ ". No valid SA. " or
[message] =~ ". authentication failed. " or
([user] and [action] == "Log In")
{

It looks like this section could potentially be VERY slow as it might require a lot of regular expression parsing. Have you got X-Pack monitoring installed so you can see how much processing time is spent here?

M_B_I · July 12, 2018, 1:55pm

All data received over UDP. Yes, we verified that all data receied on target host.
No, I don't have X-Pack.
But maybe I can see some message in logs of logstash that it dropped some events?

Christian_Dahlqvist · July 12, 2018, 2:05pm

Instead of dropping the messages in the config, why not write them to a separate file so you can verify it is dropping whet you expect it to?

M_B_I · July 12, 2018, 2:16pm

hmmm....I never do that...
You mean that I need to write my logs to file, and then parse it? Or make separeted config files?
How I can implement this?

Christian_Dahlqvist · July 12, 2018, 2:26pm

I was suggesting it as a way to debug this, not necessarily a permanent feature.

Instead of the drop filter, instead add e.g. a tag. The only send events without this tag to elasticsearch and write all events with a tag to e.g. a file output so you can see exactly what is being dropped.

M_B_I · August 7, 2018, 8:54am

Hi, Christian!
I removed drop filter, but for my sorry logstash still loses messages.

But when I replased input plugin for this :

udp
{
type => 'syslog'
port => 514
queue_size => 72000
receive_buffer_bytes => 31457280
}

It works fine! Logstash don't lose messages anymore !

my input lugin was :

input
{
syslog
{
port => 514
type => "syslog"
}
}

system · September 4, 2018, 8:54am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.