Syslog messages into logstash

Elastic Stack Logstash
1

Hi all!
I want to get syslog messages from servers.
I have installed ELK stack on CentOS 7 server.
There is "no default index pattern"
How i understand i need to install and configure "filebeat" on client server side.

I have a question. After ELK stack installed, i need to create "default index pattern"?

logstash config:
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
sniffing => true
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

2

https://www.elastic.co/guide/en/kibana/current/tutorial-define-index.html

3

Hello, thanks for your answer!
I have read this tutorial, but in Kibana 6.X has not "Add New" button...
How i understand, that button apper when i installed and setup for example filebeat on side client server?

4

Can you send me the output to GET _cat/indices?v ?

5

health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana 6CfpdIAbSvuG-wyoLyU3Dg 1 0 2 0 10.1kb 10.1kb
yellow open logstash-2018.04.27 2VBsjn8eQX2cSStxj4fCKg 5 1 39 0 146.3kb 146.3kb

6

So you do have a non system index called logstash-2018.04.27 with 39 documents.

Go to Kibana discover and see the section that says checking for index pattern and you can add the logstash-* pattern to start discovering the LS data.
ref: https://www.elastic.co/guide/en/kibana/current/tutorial-define-index.html

As for filebeat you need to check why its not working, check that it is effectively sending to LS, at best have a look at the documents you have in the LS index first.