Good, I want to send the logs from a server to this one but the logs don't arrive, I show you the files to see if you can help me.
sudo cat /etc/logstash/conf.d/30-Elasticsearch-output.conf
> output {
> elasticsearch {
> hosts => ["localhost:9200"]
> manage_template => false
> index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
> }
> }
sudo cat /etc/logstash/conf.d/10-syslog-filter.conf
> filter {
> if [fileset][module] == "system" {
> if [fileset][name] == "auth" {
> grok {
> match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?",
> "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}",
> "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}",
> "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}",
> "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
> "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$",
> "%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }
> pattern_definitions => {
> "GREEDYMULTILINE"=> "(.|\n)*"
> }
> remove_field => "message"
> }
> date {
> match => [ "[system][auth][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
> }
> geoip {
> source => "[system][auth][ssh][ip]"
> target => "[system][auth][ssh][geoip]"
> }
> }
> else if [fileset][name] == "syslog" {
> grok {
> match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }
> pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
> remove_field => "message"
> }
> date {
> match => [ "[system][syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
> }
> }
> }
> }
ubuntukiba@ubuntukiba:~$ sudo cat /etc/logstash/conf.d/02-beats-input.conf
> input {
> beats {
> port => 5044
> }
> }
/etc/filebeat/filebeat.yml
> output.logstash:
> # The Logstash hosts
> hosts: ["localhost:5044"]
CLIENT
> output.logstash:
> # The Logstash hosts
> hosts: ["192.168.14.78(THE SERVER):5044"]