Logstash + Syslog + Security

MKirby · November 3, 2021, 2:44pm

Hello ELK gurus. I have been working on getting my first production ELK SIEM working and for the most part is it doing what is required. The one area that is really not functioning the way it needs is the Logstash and collection of syslogs. I am currently receiving the following Error message in the logstash-plain.log

[2021-11-03T10:15:32,356][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \t\r\n], "#", "{" at line 24, column 9 (byte 584) after output {\n elasticsearch { hosts => ["10.12.36.52:9200"] }\n stdout {codec => rubydebug}\n user ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:32:in compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:187:in initialize'", "org/logstash/execution/JavaBasePipelineExt.java:72:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:47:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:52:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:389:in block in converge_state'"]}

My current logstash pipeline yml is as follows.

input {
  udp {
      port => ####
      type => syslog
  }
}
filter {
   if [type] == "syslog" {
     grok {
         match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[POSINT:syslog_pid}\]?: %{GREEDYDATA:syslog_message}" }
         add_field => [ "received_at", "%{@timestamp}" ]
         add_field => [ "received_from", "%{host}" ]
     }
     date {
         match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
       }
   }
}

output {
    elasticsearch { hosts => ["ip:add:es:9200"] }
    stdout {codec => rubydebug}
    user => "elastic"
    password => "es_password"
}

After restarting the logstash service and even swapping around the output user and password settings with the stdout line I am still presented with the message above. If I remove the user and password then I receive a 401 connection denied error.

Another set of eyes on this would be greatly appreciated.

Thank you.

leandrojmp · November 3, 2021, 3:29pm

Your output config is wrong, the user and password shoud be inside the elasticsearch plugin configuration.

output {
    elasticsearch { 
        hosts => ["ip:add:es:9200"] 
        user => "elastic"
        password => "es_password"
    }
    stdout {codec => rubydebug}
}

MKirby · November 3, 2021, 4:29pm

Thank you, that worked to get me past that error message.

system · December 1, 2021, 4:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.