Output to file, codec for windows events

Rakkijake · April 19, 2018, 12:26pm

Hello,

Setting up my first Elastic, and ran to an issue with logstash output to file.

I am trying to get output both on elastic and to file, and both are working otherwise fine; however, I dont get any timestamp on the output file for the log events. The log source is windows server. What should be the correct codec to get timestamps for the output file aswell ? Timestamps are ok when looking from Kibana.

Thanks in advance.

magnusbaeck · April 22, 2018, 8:16pm

What output are you getting? And what does the configuration look like?

Rakkijake · April 23, 2018, 9:27am

Configuration:

input {
beats {
port => 5044
type => "log"
}
}

output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
file {
codec => line {
format => "{[%Date%]} | %{[severity]} : /%{[thread]}/ %{[loggername]} (%{[sourcemethodname]}) - %{[message]}"
}
path => "E:\ELK\Logs\Output%{host}/%{facility}-%{+yyyy-MM-dd}.log"
}
}

Log Example:

{[%Date%]} | %{[severity]} : /%{[thread]}/ %{[loggername]} (%{[sourcemethodname]}) - An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Impersonation Level: Impersonation

New Logon:

and so on..

So the event is fine, but the format is not working exactly as intended.

magnusbaeck · April 23, 2018, 9:59am

{[%Date%]}

Are you sure this shouldn't be %{[Date]}?

So the event is fine, but the format is not working exactly as intended.

Since you're not telling us what you get right now and what you expect to get you're making it hard to help.

Rakkijake · April 23, 2018, 11:39am

Hello,

Sorry bad articulation on my side.

Tried to change the date to %{[Date]} , but that didn't solve the issue.

So what I am looking for is timestamp inside the output files events. Currently there is no timestamp at all on any event, which i am trying solve now. The event details and other are fine, just missing the time, when the events have occured.

magnusbaeck · April 23, 2018, 11:56am

This is the third time I'm asking for details. I will not ask a fourth time. Show us:

What an event produced by Logstash looks like. Use a stdout { codec => rubydebug } output to dump the raw event.
What you currently get from the file output.

system · May 21, 2018, 11:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.