We have created an elastic stack to monitor logs from the Linux clients. On Linux clients, filebeat is configured to ship the logs to the elastic stack.
When we are searching for the logs using elastic discover option @timestamp and message timestamp is not matching. How can we configure timestamp as same as message timestamp?
eg: fields ( time, @timestamp, beat.hostname, ,message, source)
November 1st 2021, 08:41:20.986 November 1st 2021, 08:41:20.986 scnmgmt3 "Nov 1 06:00:03 scnmgmt3 sshd[84934]: Accepted password for root from 172.22.76.114 port 43778 ssh2"
/var/log/secure
logstash input:-
input {
beats {
port => 5044
ssl => false
}
}
logstash filter:-
filter
{
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}
date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
November 1st 2021, 08:41:20.986 scnmgmt3 "Nov 1 06:00:03 scnmgmt3 sshd[84934]: Accepted password for root from 172.22.76.114 port 43778 ssh2"/var/log/secure
My requirement is to grep the events based on time. I am already able to do that but the problem is the timestamp in the message filed is not matching with filebeat timestamp. So I need to add a new filed as same as message timestamp and the same needs to be added to filebeat fields.
Sorry. Since I am new to elk, I didn't understand your solution.
We are using file beat to ship the logs from the client and elk server logstash input created to receive the logs from filebeat. I didn't understand why we need to change the timestamp here.
In our elk server there is a timestamp ( I think that is based on filebeat sync time ) and one more is there on the filebeat message field ( It is a single field wiith time stamp and message ). Now we need to seperate the timestamp from the message field So we can query based on the exact time of the event/message.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.