Logstash pipeline does not work

Elastic Stack Logstash
1

This is my pattern log :

80.253.157.26 - - [19/Nov/2023:15:17:50 +0330] "POST /followup/danesh/5b81bc62-d82d-4f98-aacd-eab80474faca HTTP/1.1" 200 852

This is apache log . As I know if I want to use this log in logstash I can use from grok patterns:

%{COMMONAPACHELOG:request}

so it could simulate such as follow :

{
  "request": [
    "80.253.157.26 - - [19/Nov/2023:15:17:50 +0330] \"POST /followup/danesh/5b81bc62-d82d-4f98-aacd-eab80474faca HTTP/1.1\" 200 852",
    "/followup/danesh/5b81bc62-d82d-4f98-aacd-eab80474faca"
  ],
  "auth": "-",
  "ident": "-",
  "response": "200",
  "bytes": "852",
  "clientip": "80.253.157.26",
  "verb": "POST",
  "httpversion": "1.1",
  "timestamp": "19/Nov/2023:15:17:50 +0330"
}

also this is my pipeline :

input{
   beats {

    port => 5071

}

}

filter{

  grok{
    match  =>  { "message" => '%{IPORHOST:clientip} %{HTTPDUSER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-)' }

}

}




output{

  stdout{}
  elasticsearch {
   index => newopenbank
   hosts => ["https://IP:9200"]
   cacert => '/etc/logstash/certs/http_ca.crt'
   user => "elastic"
   password => "password"

}

}

but it does not create any index and does not work

this is logstash log :

[2023-11-20T01:21:52,356][INFO ][logstash.javapipeline    ][pipeline1] Starting pipeline {:pipeline_id=>"pipeline1", "pipeline.workers"=>8, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>1000, "pipeline.sources"=>["/etc/logstash/conf.d/pipeline1.conf"], :thread=>"#<Thread:0x4629d2fd /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
[2023-11-20T01:21:52,864][INFO ][logstash.javapipeline    ][pipeline1] Pipeline Java execution initialization time {"seconds"=>0.51}
[2023-11-20T01:21:52,870][INFO ][logstash.javapipeline    ][pipeline2] Pipeline Java execution initialization time {"seconds"=>0.51}
[2023-11-20T01:21:52,872][INFO ][logstash.inputs.beats    ][pipeline1] Starting input listener {:address=>"0.0.0.0:5070"}
[2023-11-20T01:21:52,878][INFO ][logstash.javapipeline    ][pipeline1] Pipeline started {"pipeline.id"=>"pipeline1"}
[2023-11-20T01:21:52,882][INFO ][logstash.inputs.beats    ][pipeline2] Starting input listener {:address=>"0.0.0.0:5071"}
[2023-11-20T01:21:52,882][INFO ][logstash.javapipeline    ][pipeline2] Pipeline started {"pipeline.id"=>"pipeline2"}
[2023-11-20T01:21:52,888][INFO ][logstash.agent           ] Pipelines running {:count=>2, :running_pipelines=>[:pipeline2, :pipeline1], :non_running_pipelines=>[]}
[2023-11-20T01:21:52,925][INFO ][org.logstash.beats.Server][pipeline1][355b5961c5bd22351a4cf5494bc9b254124e7179d0d5df19c80c7a9c27b9bd90] Starting server on port: 5070
[2023-11-20T01:21:52,926][INFO ][org.logstash.beats.Server][pipeline2][65fe548fb9a6519537f8f4576c444eb7c28ae6d684a8ec03cb8f57a91b84aa5d] Starting server on port: 5071
2

Can you show the FB configuration? - filebeat.yml

3

This is my filebeat :

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: my-filestream-id

  # Change to true to enable this input configuration.
  enabled: true

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /opt/neo/logs/*.txt
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  # Line filtering happens after the parsers pipeline. If you would like to filter lines
  # before parsers, use include_message parser.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  # Line filtering happens after the parsers pipeline. If you would like to filter lines
  # before parsers, use include_message parser.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #prospector.scanner.exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "10.20.30.40:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
   hosts: ["https://10.20.30.40:9200"]
   protocol: "https"


  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
   username: "elastic"
   password: "password"
   ssl:
    enabled: true
    ca_trusted_fingerprint: "23E9D473CE99BB2C6C331F43C94DA35B3096ABA83C844AB5CB04458F95AE83BC"
output.elasticsearch.index: "neo-%{[agent.version]}"
setup.template.name: "neo"
setup.template.pattern: "neo-%{[agent.version]}"

# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the filebeat.
#instrumentation:
    # Set to true to enable instrumentation of filebeat.
    #enabled: false

    # Environment in which filebeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.