two different config files are in /etc/logstash/conf.d, one input is on tcp 1514 and the other input on udp 3514. Both files are working well while using it on the command line (one by one)
/usr/share/logstash/bin/logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/unix-udp-syslog.conf
/usr/share/logstash/bin/logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/unix-udp-syslog.conf
when they get started with systemctl, then it takes some values from one and/or the other and creates an array out of it, this corrupts my elasticsearch results.
Testcase: login with a user (root) and not giving a passwort, just hit enter three times quickly, this fires syslog messages and sends them to the logstash server.
it is working if just one or the other file is in conf.d
how can this be achieved?
output in messages, with stdout enabled:
Dec 13 15:42:02 linuxSystem logstash: {
Dec 13 15:42:02 linuxSystem logstash: "syslog_pid" => "21483",
Dec 13 15:42:02 linuxSystem logstash: "syslog_program" => "sshd",
Dec 13 15:42:02 linuxSystem logstash: "syslog_user" => [
Dec 13 15:42:02 linuxSystem logstash: [0] "root",
Dec 13 15:42:02 linuxSystem logstash: [1] "root"
Dec 13 15:42:02 linuxSystem logstash: ],
Dec 13 15:42:02 linuxSystem logstash: "syslog_message" => "Failed password for root from 10.0.0.12 port 53667 ssh2",
Dec 13 15:42:02 linuxSystem logstash: "syslog_src_ip_address" => [
Dec 13 15:42:02 linuxSystem logstash: [0] "10.0.0.12",
Dec 13 15:42:02 linuxSystem logstash: [1] "10.0.0.12"
Dec 13 15:42:02 linuxSystem logstash: ],
Dec 13 15:42:02 linuxSystem logstash: "tags" => [
Dec 13 15:42:02 linuxSystem logstash: [0] "ssh_failed_login",
Dec 13 15:42:02 linuxSystem logstash: [1] "_grokparsefailure",
Dec 13 15:42:02 linuxSystem logstash: [2] "ssh_failed_login"
Dec 13 15:42:02 linuxSystem logstash: ],
Dec 13 15:42:02 linuxSystem logstash: "syslog_src_hostname" => [
Dec 13 15:42:02 linuxSystem logstash: [0] "myWorkstationName",
Dec 13 15:42:02 linuxSystem logstash: [1] "10.0.0.12,10.0.0.12"
Dec 13 15:42:02 linuxSystem logstash: ],
Dec 13 15:42:02 linuxSystem logstash: "@timestamp" => 2017-12-13T14:42:02.000Z,
Dec 13 15:42:02 linuxSystem logstash: "syslog_timestamp" => "Dec 13 15:42:02",
Dec 13 15:42:02 linuxSystem logstash: "@version" => "1",
Dec 13 15:42:02 linuxSystem logstash: "syslog_dest_hostname" => "linuxSystem2",
Dec 13 15:42:02 linuxSystem logstash: "@metdata" => {},
Dec 13 15:42:02 linuxSystem logstash: "syslog_src_port" => [
Dec 13 15:42:02 linuxSystem logstash: [0] "53667",
Dec 13 15:42:02 linuxSystem logstash: [1] "53667"
Dec 13 15:42:02 linuxSystem logstash: ]
Dec 13 15:42:02 linuxSystem logstash: }
Here a part of the config file, both have more or less the same content, one is for Linux syslog (tcp) and the other for AIX syslog (udp)
config file1 content
input {
udp {
port => 3514
}
}
if "Failed password" in [syslog_message] and "invalid" not in [syslog_message] {
grok { match => {"syslog_message" => [ "Failed password for %{WORD:syslog_user} from %{IP:syslog_src_ip_address} port %{NUMBER:syslog_src_port} " ] } }
mutate { add_field => { "syslog_src_hostname" => "%{syslog_src_ip_address}" } }
mutate { add_tag => "ssh_failed_login" }
}
config file2 content
input {
tcp {
port => 1514
}
}
if "Failed password" in [syslog_message] and "invalid" not in [syslog_message] {
grok { match => {"syslog_message" => [ "Failed password for %{WORD:syslog_user} from %{IP:syslog_src_ip_address} port %{NUMBER:syslog_src_port} " ] } }
mutate { add_field => { "syslog_src_hostname" => "%{syslog_src_ip_address}" } }
mutate { add_tag => "ssh_failed_login" }
}