N00b: E on bro problem

randy · March 11, 2017, 11:59pm

ubuntu 16.04, following recipe in
https://git.rg.net/randy/randy/src/master/ELK-stack.md

# /usr/share/logstash/bin/logstash -e
output {
  stdout {}
}
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /usr/share/logstash/config/log4j2.properties. Using default config which logs to console
ERROR: No configuration file was specified. Perhaps you forgot to provide the '-f yourlogstash.conf' flag?
usage:
  bin/logstash -f CONFIG_PATH [-t] [-r] [] [-w COUNT] [-l LOG]
  bin/logstash -e CONFIG_STR [-t] [--log.level fatal|error|warn|info|debug|trace] [-w COUNT] [-l LOG]
  bin/logstash -i SHELL [--log.level fatal|error|warn|info|debug|trace]
  bin/logstash -V [--log.level fatal|error|warn|info|debug|trace]
  bin/logstash --help

and yet

# ls -la /etc/logstash
total 32
drwxrwxr-x   3 root root 4096 Mar 10 23:45 ./
drwxr-xr-x 107 root root 4096 Mar 11 00:27 ../
drwxrwxr-x   2 root root 4096 Mar 10 23:55 conf.d/
-rw-rw-r--   1 root root 1738 Feb 24 17:41 jvm.options
-rw-rw-r--   1 root root 1334 Feb 24 17:41 log4j2.properties
-rw-rw-r--   1 root root 4487 Mar 10 23:45 logstash.yml
-rw-rw-r--   1 root root 1659 Feb 24 17:41 startup.options

clue bat please

randy

theuntergeek · March 12, 2017, 12:13am

If you installed via APT/DEB package, then you probably need to add --path.settings /etc/logstash

This is because the -e flag does some funny stuff under the hood. Beware of 3rd party configuration examples. Otherwise, try putting your test configuration in an actual configuration file and use the -f flag.

randy · March 12, 2017, 5:09am

thank you! but that gets me to

[2017-03-12T05:03:27,411][ERROR][logstash.filters.geoip   ] IP Field contained invalid IP address or hostname {:exception=>java.net.UnknownHostException: -, :field=>"id.resp_h", :event=>2017-03-12T05:03:19.225Z bro0.dfw.rg.net 1489294999.225140    -       -       -       -       -       unknown_protocol_112    -      Fworker-0}

do i also need to tell it where the filters are in /etc/logstash/conf.d/?

indeed, i used apt. so is it safe to presume that the logstash started by systemdeath does not need this parameterization if i used all the default locations?

theuntergeek · March 12, 2017, 6:05am

I can't see the GeoIP filter in your configuration. But it is clear that bro0.dfw.rg.net does not resolve to an IP that the GeoIP plugin recognizes. That seems to be what the message says.

randy · March 12, 2017, 9:05am

i believe that am using the bro/logstash log filters from http://www.505forensics.com. i just put the one to process the conn.log up at https://archive.psg.com/bro-conn_log.conf

system · April 9, 2017, 9:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.