I've setup an ELK server for production use after doing a proof of concept but I'm missing the raw fields on the production server like I have on the POC server. Everything else is working but I need the raw fields because some of the data has dashes so I can't use the regular fields.
Versions:
OS: CentOS 7
logstash-2.2.2-1.noarch
elasticsearch-2.2.0-1.noarch
kibana-4.4.1-1.x86_64
Here is my current logstash.conf:
input {
syslog {
port => 5514
type => "syslog"
tags => ["syslog"]
}
}
filter {
if [type] == "syslog" {
grok {
break_on_match => true
# multiple filters included because all logs are dumped into one syslog and transferred over
# the log type for the parse is at the end of the line in a comment
match => [
"message", "^%{GREEDYDATA:event}[%{WORD:loglevel}] %{NUMBER:event_id} %{GREEDYDATA:parsed_msg}", #windows
"message", "^%{GREEDYDATA:event}[%{WORD:loglevel}] message repeated %{NUMBER} times: [ %{NUMBER:event_id}", #windows
"message", "^%{HOSTNAME:event} %{NUMBER:event_id} %{GREEDYDATA:parsed_msg}", #windows
"message", "^%{HOSTNAME:event}[%{WORD} %{NUMBER:event_id} %{GREEDYDATA:parsed_msg}", #windows
"message", "^ %{NUMBER:event_id} %{HOSTNAME:logsource} events %{HOSTNAME:event} %{GREEDYDATA:parsed_msg}", #firewall
"message", "^ %{NUMBER:event_id} %{HOSTNAME:logsource} events %{WORD:event} %{GREEDYDATA:parsed_msg}", #firewall
"message", "^ %{NUMBER:event_id} %{HOSTNAME:logsource} events type=%{WORD:event} %{GREEDYDATA:parsed_msg}", #firewall
"message", "^ %{NUMBER:event_id} %{HOSTNAME:logsource} events %{WORD:event}: %{GREEDYDATA:parsed_msg}", #firewall
"message", "^ %{NUMBER:event_id} %{HOSTNAME:logsource} %{HOSTNAME:event} %{GREEDYDATA:parsed_msg}", #firewall
"message", "^%{IP:logsource}-1 %{GREEDYDATA:event}[%{NUMBER:event_id}]: %{GREEDYDATA:parsed_msg}", #switches
"message", "^%{IP:logsource} %{WORD:event} %{GREEDYDATA:parsed_msg}", #switches
"message", "^syslog %{WORD:event} %{GREEDYDATA:parsed_msg}", #switches
"message", "^ %{NUMBER} %{WORD} events type=%{WORD:event} %{GREEDYDATA:parsed_msg}", #waps
"message", "^%{SYSLOG5424PRI}%{CISCOTIMESTAMP} %{HOSTNAME:logsource} [%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HAPROXYTIME} %{HOSTNAME:program} +%{WORD:loglevel} +%{GREEDYDATA:parsed_msg}", #vcenter
"message", "^%{SYSLOG5424PRI}%{CISCOTIMESTAMP} %{HOSTNAME:logsource}.*Z [%{WORD} %{WORD:loglevel} '%{WORD:program}' +%{GREEDYDATA:parsed_msg}", #vcenter
"message", "^%{SYSLOG5424PRI}%{CISCOTIMESTAMP} %{HOSTNAME:logsource}.*Z [%{WORD} %{WORD:loglevel} '[%{WORD:program}]' +%{GREEDYDATA:parsed_msg}", #vcenter
"message", "^%{SYSLOG5424PRI}%{CISCOTIMESTAMP} %{HOSTNAME:logsource}.*Z [%{WORD} %{WORD:loglevel} '%{WORD:program}'] +%{GREEDYDATA:parsed_msg}", #vcenter
"message", "^%{SYSLOG5424PRI}%{CISCOTIMESTAMP} %{HOSTNAME:logsource} %{GREEDYDATA:parsed_msg}", #vcenter
"message", "^%{SYSLOG5424PRI}%{SYSLOGLINE} %{GREEDYDATA:parsed_msg}"] #vcenter
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "logstash-%{+YYYY.MM.dd}"
}
}