Hi people, i have a elk working with the logs of a samba file server
I want make graphics with unlink file but i have a lot of tmp files, i want filter this archives, i read a bit and only find placing "- " but nothing happend, i have the same result.
example of a log:
domain\admin | 192.168.1.30|hostname|domain|unlink|541b4a62.tmp
I want to show only the files actually deleted by the user
Any idea?
Thanks!
How do the logs show the deletion?
hi warkom,
domain\admin | 192.168.1.30|hostname|domain|unlink|541b4a62.tmp
unlink is how show the deletion and 541b4a62.tmp is the file
otrher example of write a file would:
domain\admin | 192.168.1.30|hostname|domain|pwrite|elasticsearch.conf
i can show all of the unlink log, but i need filter the .tmp
i can do it?
king regards,
Carlos
Are you breaking the log line down into parts, eg the user, host, filename etc?
Correct, this file server is a samba, in his configuration permit me specific what want appears in the log separete with |
I can do something but i found other files, with this line i can discard tmp files:
message:unlink !syslog_message:*.tmp
but i found others temporary files of word or excel like: original.xls and the tmp file ~$original.xls
now, i need discard ~$original.xls
Are you extracting each of the sections of the log file, as separated by |, into their own fields via Logstash or something?
the records come from the samba file server, it automatically puts them in that format to separate each field
OK, but how does the data get into Elasticsearch?
Filebeat take the logs
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.