Queries regarding logsatsh configuration file

Ajay_Kumar.S · November 6, 2023, 6:16am

input {
beats {
port => "9006"

}
}

filter {

mutate {
add_field => { "beat_version" => "%{[beat][version]}" }
}

mutate {
add_field => { "log_file" => "%{[log][file][path]}" }

}
mutate {
add_field => { "beat_input_type" => "%{[input][type]}" }
}

mutate{
remove_field => [ "offset","prospector","@version","source","host","beat","log","input" ]
}

if [message] =~ /^#/ {
drop {}

}

mutate {
split => { "message" => "\t" }
}

if [message] {
grok {
match => {
"message" => "%{NUMBER:ts:float} %{DATA:uid} %{IP:id.orig_h} %{NUMBER:id.orig_p:int} %{IP:id.resp_h} %{NUMBER:id.resp_p:int} %{DATA:proto} %{DATA:service} %{NUMBER:duration:float} %{NUMBER:orig_bytes:int} %{NUMBER:resp_bytes:int} %{DATA:conn_state} %{DATA:local_orig} %{NUMBER:missed_bytes:int} %{DATA:history} %{NUMBER:orig_pkts:int} %{NUMBER:orig_ip_bytes:int} %{NUMBER:resp_pkts:int} %{NUMBER:resp_ip_bytes:int} %{DATA:tunnel_parents} %{DATA:threat}"
}
}

}

date {
  match => ["ts", "UNIX"]
  target => "@timestamp"
}

}

output{
elasticsearch{
hosts => ["https://0.0.0.0:9200"]
index => "zeek-%{+YYYY.MM.dd}"

ssl_certificate_verification => false
       user => "elastic"
       password => "WNPUwxtVX_1-d-fUGorw"

}
stdout { codec => rubydebug }
}

I am not able to parse the data based on above script. Please provide me with an updated script

system · December 4, 2023, 6:16am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Clarification on logstash configuration Logstash	3	234	October 21, 2019
Several config files for beats in logstash Logstash	5	2754	July 6, 2017
Help you need to configure log files via filebeat and not logstash Beats docker , filebeat	7	184	March 6, 2024
Conf file issues Logstash	2	696	July 6, 2017
Filebeat fields value unable to use it in logstash configuration file Logstash	9	569	February 7, 2021

Queries regarding logsatsh configuration file

Related Topics