Logstash to kibana index pattern fields


new to the whole ELK scene.. I had my environment stood up with multiple nodes and when I installed filebeat it installed the filebeat-* index pattern with a lot of fields that it used for various visualizations and dashboards.

I have my logstash setup so that its taking in syslogs from remote servers and it is reporting it into ES and I can see it in kibana but now I am trying to create some meaningful visualizations and dashboards and noticed that the filebeat-* index pattern has so many more fields than my logstash-* index pattern. I am mainly just starting so I wanted to concentrate on ssh login/failed login/sudo and create dashboard/visualization like the ones that filebeat provided.

I looked on the discussion and google but and the only thing I found close to what I am looking for was https://www.elastic.co/blog/grokking-the-linux-authorization-logs however it does not tie things into logstash/kibana much or how to get there...

any help on my next steps?

I am on 6.4

You probably need to parse out fields in your Logstash config. Have a look at this blog post for an introduction how to go about this.

thank you will check it out!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.