Problem with Fake Log in Logshash


#1
  1. I install Elastic (no problem)
  2. I install Kibana (no problem)
  3. I run Logshtast with argument:

./logstash -f apache_config.conf

apache_config.conf

input {
file {
path => "/var/log/my_apache_logs/*.log"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
geoip {
source => "clientip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}

mutate {
convert => { "[geoip][coordinates]" => "float" }
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost:9200" ]
index => "logstash-apache-%{+YYYY.MM.dd}"
}
}


In /var/log/my_apache_logs/*.log i generated Fake Log from


https://github.com/kiritbasu/Fake-Apache-Log-Generator


Serwer respond:

Sending Logstash's logs to /data/dg_vbox/Logstash/logstash-6.2.2/logs which is now configured via log4j2.properties
[2018-03-06T10:34:39,179][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"netflow", :directory=>"/data/dg_vbox/Logstash/logstash-6.2.2/modules/netflow/configuration"}
[2018-03-06T10:34:39,192][INFO ][logstash.modules.scaffold] Initializing module {:module_name=>"fb_apache", :directory=>"/data/dg_vbox/Logstash/logstash-6.2.2/modules/fb_apache/configuration"}
[2018-03-06T10:34:39,613][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2018-03-06T10:34:40,081][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"6.2.2"}
[2018-03-06T10:34:40,393][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600}
[2018-03-06T10:34:43,162][INFO ][logstash.pipeline ] Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[2018-03-06T10:34:43,558][INFO ][logstash.outputs.elasticsearch] Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[http://localhost:9200/]}}
[2018-03-06T10:34:43,567][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://localhost:9200/, :path=>"/"}
[2018-03-06T10:34:43,714][WARN ][logstash.outputs.elasticsearch] Restored connection to ES instance {:url=>"http://localhost:9200/"}
[2018-03-06T10:34:43,760][INFO ][logstash.outputs.elasticsearch] ES Output version determined {:es_version=>nil}
[2018-03-06T10:34:43,763][WARN ][logstash.outputs.elasticsearch] Detected a 6.x and above cluster: the type event field won't be used to determine the document _type {:es_version=>6}
[2018-03-06T10:34:43,781][INFO ][logstash.outputs.elasticsearch] Using mapping template from {:path=>nil}
[2018-03-06T10:34:43,796][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>60001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date"}, "@version"=>{"type"=>"keyword"}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}
[2018-03-06T10:34:43,831][INFO ][logstash.outputs.elasticsearch] New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["//localhost:9200"]}
[2018-03-06T10:34:43,979][INFO ][logstash.filters.geoip ] Using geoip database {:path=>"/data/dg_vbox/Logstash/logstash-6.2.2/vendor/bundle/jruby/2.3.0/gems/logstash-filter-geoip-5.0.3-java/vendor/GeoLite2-City.mmdb"}
[2018-03-06T10:34:44,251][INFO ][logstash.pipeline ] Pipeline started succesfully {:pipeline_id=>"main", :thread=>"#<Thread:0x7ccde8a5 run>"}
[2018-03-06T10:34:44,339][INFO ][logstash.agent ] Pipelines running {:count=>1, :pipelines=>["main"]}


I can't read that fake log from Kibana CLI (menagement).
I can't read that fake log from localhost:9200 (no password)
X-pack is not installed

What's a problem??

PS
I will be grateful for your help


(Tag V) #2

Seems no error with conf file. If input size is huge, logstash take some time to push pipeline events.

try running logstash in debug mode.
./logstash -f apache_config.conf --debug


(Magnus B├Ąck) #3

Logstash is tailing the log file you generated. Look into the start_position option for the file input and read the file input documentation in general to understand how it maintains the current state of the monitored files.


#4

It's only 100 events.
I try with --debug mode - not help


#5

Can you explain exactly?
I starting using Elastic and don't know how.


#6

Respond from Kibana:
GET /logstash/_search
{
"query": { "match_all": {} }
}
{

"error": {
"root_cause": [
{
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "logstash",
"index_uuid": "na",
"index": "logstash"
}
],
"type": "index_not_found_exception",
"reason": "no such index",
"resource.type": "index_or_alias",
"resource.id": "logstash",
"index_uuid": "na",
"index": "logstash"
},
"status": 404
}


(Tag V) #7
input {
file {
path => "/var/log/my_apache_logs/*.log"
sincedb_path => "/dev/null"
start_position => "beginning"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
geoip {
source => "clientip"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}

mutate {
convert => { "[geoip][coordinates]" => "float" }
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost:9200" ]
index => "logstash-apache-%{+YYYY.MM.dd}"
}
}

#8

https://pastebin.com/BV7mF06a
it's read and return to cli


(system) #9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.