SSH field not showing up with System module

Elastic Stack Beats
1

Hello,

I've setup an Elastic Stack and some Filebeat clients with System module enabled, but the SSH fields doesn't show up.

Fileset.module and fileset.name are correct, and the messages I receive in Elastic have the format
Oct 30 09:04:53 VBOX_DEB_TEST sshd[1670]: Failed password for root from 192.168.1.129 port 62167 ssh2

I've setup Filebeat to send to Logstash, but I don't know exactly why those ssh fields doesn't show up. I'm not using any custom configuration, all the settings are the default.

What I'm doing wrong?

2

Hi @dvelasco and welcome :slight_smile:

It seems that current pattern we use to parse hostnames doesn't accept underscores, I have opened an issue (#8814) to follow on this.

Thanks for reporting!

3

@dvelasco, Adding...You can't use the filebeat dashboards when you use logstash as output in filebeat.yml.

If you still want to use the feature of filebeat dashboard and logstash as output you need to create the logtsash pipeline for your syslog, auth.log etc.

You can refer the below link:

https://www.elastic.co/guide/en/logstash/5.6/filebeat-modules.html

Kindly let me know if you have any query.

Thanks.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.