Cdnvballer
November 22, 2019, 6:47pm
1
Hi,
i'm receiving network device syslog via filebeats - works fine, using default syslog filter
grok {
I try to add the following:
geoip{
if [system][syslog][hostname] =~ /^10\.101\./ {
mutate { add_field => { "[geoip][location]" => "37.388340" } }
mutate { add_field => { "[geoip][location]" => "-121.888420" } }
!and a few other if statements that check the first two octets of [system][syslog][hostname] and assign latitude and longitude...
}
is this valid?
Badger
November 22, 2019, 6:58pm
2
[geoip][location] is a geo_point. There are several options for feeding elasticsearch geo_points. I believe this is one of them...
mutate {
add_field => {
"[geoip][location][lat]" => "37.388340"
"[geoip][location][lon]" => "-121.888420"
}
}
Cdnvballer
November 22, 2019, 7:11pm
3
ok- so that seems to reduce the # of statements required to add the coordinates.
Badger
November 22, 2019, 7:38pm
4
You would still need to add latitude, longitude, and the ip to geoip, but you can use a single mutate+add_field to add them, and I do not think the conversion to float is required. elasticsearch will convert them as it maps them.
Cdnvballer
November 22, 2019, 8:51pm
5
(Note, I'm using logstash 6.8.4)
geoip{
if [system][syslog][hostname] =~ /^10\.101\./ {
mutate {
add_field => {
"[geoip][location][lat]" => "37.388340"
"[geoip][location][lon]" => "-121.888420"
}
}
}
and get the following error:
[2019-11-22T12:47:03,843][ERROR][logstash.agent ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, => at line 42, column 5 (byte 3197) after filter {\n if [fileset][module] == "system" {\n if [fileset][name] == "auth" {\n grok {\n match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?",\n "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}",\n "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}",\n "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} "\n }\n remove_field => "message"\n }\n date {\n match => [ "[system][auth][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]\n }\n geoip {\n source => "[system][auth][ssh][ip]"\n target => "[system][auth][ssh][geoip]"\n }\n }\n else if [fileset][name] == "syslog" {\n grok {\n match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }\n pattern_definitions => { "GREEDYMULTILINE" => "(.|\n) " }\n remove_field => "message"\n }\n date {\n match => [ "[system][syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]\n }\n geoip{\n\n\tif ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in block in compile_sources'", "org/jruby/RubyArray.java:2577:in map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:151:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:22:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:90:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:43:in block in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in block in exclusive'", "org/jruby/ext/thread/Mutex.java:165:in synchronize'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:96:in exclusive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:39:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:334:in block in converge_state'"]}
Badger
November 22, 2019, 10:24pm
6
You cannot put the if statement inside the geoip filter. Put the filter inside the if statement.
Cdnvballer
November 25, 2019, 5:04pm
7
Sorry I think you've lost me -- so it would be like this?
if [system][syslog][hostname] =~ /^10\.101\./ {
geoip {
add_field => {
"[geoip][location][lat]" => "37.388340"
"[geoip][location][lon]" => "-121.888420"
}
}
}
Badger
November 25, 2019, 6:27pm
8
Like this:
filter {
if [system][syslog][hostname] =~ /^10\.101\./ {
mutate {
add_field => {
"[geoip][location][lat]" => "37.388340"
"[geoip][location][lon]" => "-121.888420"
}
}
}
Cdnvballer
November 25, 2019, 7:37pm
9
thanks again - I made that change and added the other if statements to cover all other site cases...
Cdnvballer
November 25, 2019, 7:40pm
10
sorry - I don't call geoip{} anywhere after the IF statement, am I missing this?
Badger
November 25, 2019, 8:48pm
11
No, in the case of a private network, where you are adding the fields of geoip using mutate, you do not need to use a geoip filter.
To answer your previous post ... You need to use an index template. It could look very much like the default template for logstash-* , which defines geoip.location as a geo_point. Just change the index_patterns field.
Cdnvballer
November 25, 2019, 9:16pm
12
you lost me at using index template... =\ sorry, trying to lookg into this now...
I'm seeing weird issue:
my IF block within the filter looks like this:
if [system][syslog][hostname] =~ /(10\.101.*)/ {
mutate {
add_field => {
"[geoip][location][lat]" => "37.388340"
"[geoip][location][lon]" => "-121.888420"
}
}
}
else if [system][syslog][hostname] =~ /(10\.24.*)/ {
mutate {
add_field => {
"[geoip][location][lat]" => "22.306110"
"[geoip][location][lon]" => "114.187480"
}
}
}
else if [system][syslog][hostname] =~ /(10\.110.*)/ {
mutate {
add_field => {
"[geoip][location][lat]" => "35.654902"
"[geoip][location][lon]" => "139.774605"
}
}
}
...
else if [system][syslog][hostname] =~ /(10\.20.*)/ or [system][syslog][hostname] =~ /(10\.21.*)/ or [system][syslog][hostname] =~ /(10\.5.*)/ or [system][syslog][hostname] =~ /(10\.2.*)/ {
mutate {
add_field => {
"[geoip][location][lat]" => "37.391640"
"[geoip][location][lon]" => "-121.891630"
}
}
}
Cdnvballer
November 27, 2019, 1:43am
13
ok so I ran this to get my index:http://127.0.0.1:9200/filebeat-6.8.4-2019.11.27/_mapping?pretty > my_mapping.json
and I can find section that has [system][syslog][hostname] and [system][syslog][timestamp]:
"syslog" : {
would it be just a matter of adding this? -->
"geoip" : {
"dynamic": true,
"properties" : {
"ip": { "type": "ip" },
"location" : { "type" : "geo_point" },
"latitude" : { "type" : "half_float" },
"longitude" : { "type" : "half_float" }
}
}
system
December 25, 2019, 1:43am
14
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
%{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}",\n "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",\n "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$",\n "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }\n pattern_definitions => {\n "GREEDYMULTILINE"=> "(.|\n)"\n }\n remove_field => "message"\n }\n date {\n match => [ "[system][auth][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]\n }\n geoip {\n source => "[system][auth][ssh][ip]"\n target => "[system][auth][ssh][geoip]"\n }\n }\n else if [fileset][name] == "syslog" {\n grok {\n match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }\n pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)" }\n remove_field => "message"\n }\n date {\n match => [ "[system][syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]\n }\n geoip{\n\n\tif ", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in