Problem Using Filebeat for logging ssh log in

Elastic Stack Beats
1

Hi,

SSh logs are not being shown in the kibana, I am pushing my logs to the ES Only

I am using the following configuration,
OS - Ubuntu 20.04
ES - 7.11.0
LogStash - 7.11.0
Kibana - 7.11.0
FileBeat - 7.11.0

The enabled module in filebeat is System

System.yml file :

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
    var.paths: ["/var/log/messages"]
  # Authorization logs
    var.convert_timezone: true
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
    var.paths: ["/var/log/secure"]
    var.convert_timezone: true

With the console in kibana i have

POST /filebeat-*/_search
{
"size": 10,
"query": {
"match": {
"source": "/var/log/messages"
}
}
}

Output :

{
  "took" : 0,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 0,
      "relation" : "eq"
    },
    "max_score" : null,
    "hits" : [x]
  }
}

For

GET _nodes/stats/ingest

I have :

{
  "_nodes" : {
    "total" : 1,
    "successful" : 1,
    "failed" : 0
  },
  "cluster_name" : "my-application",
  "nodes" : {
    "L_HA_nnGQ9OfQiW-4y4q0w" : {
      "timestamp" : 1613472269331,
      "name" : "node-1",
      "transport_address" : "192.168.1.26:9300",
      "host" : "192.168.1.26",
      "ip" : "192.168.1.26:9300",
      "roles" : [
        "data",
        "data_cold",
        "data_content",
        "data_hot",
        "data_warm",
        "ingest",
        "master",
        "ml",
        "remote_cluster_client",
        "transform"
      ],
      "attributes" : {
        "ml.machine_memory" : "3093676032",
        "xpack.installed" : "true",
        "transform.node" : "true",
        "ml.max_open_jobs" : "20",
        "ml.max_jvm_size" : "1547698176"
      },
      "ingest" : {
        "total" : {
          "count" : 0,
          "time_in_millis" : 0,
          "current" : 0,
          "failed" : 0
        },
        "pipelines" : {
          "filebeat-7.11.0-system-syslog-pipeline" : {
            "count" : 0,
            "time_in_millis" : 0,
            "current" : 0,
            "failed" : 0,
            "processors" : [
              {
                "set" : {
                  "type" : "set",
                  "stats" : {
                    "count" : 0,
                    "time_in_millis" : 0,
                    "current" : 0,
                    "failed" : 0
                  }
                }
              }
"filebeat-7.11.0-system-auth-pipeline" : {
            "count" : 0,
            "time_in_millis" : 0,
            "current" : 0,
            "failed" : 0,
            "processors" : [
              {
                "set" : {
                  "type" : "set",
                  "stats" : {
                    "count" : 0,
                    "time_in_millis" : 0,
                    "current" : 0,
                    "failed" : 0
                  }
                }
              }
2

Please, can you parse your post in markdown? What's the output of filebeat?

3

What do you mean by "output of filebeat" ? You want to see my filebeat.yml ?

4

I just solve my problem ... because in my system.yml

- module: system
  # Syslog
  syslog:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
    var.paths: ["/var/log/messages"]
  # Authorization logs
    var.convert_timezone: true
  auth:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:
    var.paths: ["/var/log/secure"]
    var.convert_timezone: true

My 2 paths were wrong, they doesn't exists in Ubuntu ... So i replace

var.paths: ["/var/log/messages"]

by :

var.paths: ["/var/log/syslog"]

and

var.paths: ["/var/log/secure"]

by

var.paths: ["/var/log/auth.log"]

What a mistake :slight_smile:

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.