Not able to see the source ip field in the auth.log on kibana dashboard

shubhrant · January 24, 2017, 7:38am

hello,

I just want to add the source ip field in the auth.log separate as my auth.log dashboard are showing these field and the source ip flied is showing in the message

I want it like this, showing in the below screen sort

my logstash configuration file is

input {
beats {
port => 5044
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{IP:source_ip} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
if [type] == "apache" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
geoip {
source => "clientip"
}
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

magnusbaeck · January 24, 2017, 7:59am

You'll have to add a grok filter that extracts the IP address from the syslog_message field.

Note that your existing grok filter doesn't work; your event has a _grokparsefailure and the filter clearly hasn't extracted the fields. Fix that first.

shubhrant · January 24, 2017, 8:27am

hey magnus good to see you again ,

Can you please tell me what would be the grok filter for extract the IP address from the syslog message field....??

I simply use this grok filter -

if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslo$
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}

magnusbaeck · January 24, 2017, 9:01am

Yes, but I suggested adding another grok filter that parses the syslog_message field. Extracting the IP address from this particular message is way easier than your current expression.

shubhrant · January 24, 2017, 9:08am

ok then what is that another filter.. tell me so that I can add it

magnusbaeck · January 24, 2017, 9:14am

I don't have time to give everyone detailed and specific help. Please try for yourself and come back if you have any specific questions.

shubhrant · January 24, 2017, 9:15am

ok thanks

shubhrant · January 24, 2017, 12:29pm

Thanks magnus I found the grok filter

"%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host_target} sshd[%{BASE10NUM}]: Accepted password for %{USERNAME:username} from %{IP:src_ip} port %{BASE10NUM:port} ssh2"

thanks for helping me

system · February 21, 2017, 12:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.