Hello
Currently i have 2 versions of beat on my infra 5.5 and 6.4, my logstash version is 5.6 so compatible with beat client 5.5 and 6.4.
I try to detect the beat version of the document and redirect it to correct output. My document in 6.4 doesn't index in elasticsearch but 5.5 works .
if [beat][version] == "6.4.2" {
elasticsearch {
hosts => ["172.18.3.192:9200", "172.18.3.191:9200"]
ssl => true
ssl_certificate_verification => false
index => "logstash-syslog-hp-v6-%{+YYYY.MM}"
user => "xxxx"
password => "xxxx"
}
}
else {
elasticsearch {
hosts => ["172.18.3.192:9200", "172.18.3.191:9200"]
ssl => true
ssl_certificate_verification => false
index => "logstash-syslog-hp-%{+YYYY.MM}"
user => "xxxxx"
password => "xxxxx"
}
}
}
Thanks in advance for your help i tried everything .
Hello
Thanks for your fast reply, I tried but doesn't work. I wonder if the [beat][version] is correct, on elastic site they say [@metadata] [version] to access to beat version but it doesn't work too. I tried [@metadata][version] or [@metadata][beat][version] or [beat][version] , nothing work
same issue .
bellow the output received by logstash :
[2018-11-26T12:17:07,378][DEBUG][logstash.pipeline ] output received {"event"=>{"appli_hostname"=>"FRCCEISEPT01", "syslog_severity_code"=>5, "offset"=>217996292, "syslog_facility"=>"user-level", "project"=>"infra", "syslog_facility_code"=>1, "source"=>"/var/log/messages", "message"=>"Nov 26 12:16:33 FRCCEISEPT01 journal: E1126 11:16:33.174102 1 authentication.go:62] Unable to authenticate the request due to an error: [x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"), x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]", "env"=>"TST", "type"=>"log", "syslog_severity"=>"notice", "tags"=>["beats_input_codec_plain_applied", "v6"], "appli_timestamp"=>"Nov 26 12:16:33", "received_from"=>"{"name":"FRCCEISEPT01"}", "@timestamp"=>2018-11-26T11:16:33.000Z, "int1"=>1, "appli"=>["syslog", "syslog"], "appli_message"=>"E1126 11:16:33.174102 1 authentication.go:62] Unable to authenticate the request due to an error: [x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"), x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]", "received_at"=>"2018-11-26T11:16:34.101Z", "@version"=>"1", "beat"=>{"name"=>"FRCCEISEPT01", "hostname"=>"FRCCEISEPT01", "version"=>"6.4.2"}, "host"=>{"name"=>"FRCCEISEPT01"}, "appli_program"=>"journal"}}
Hi in fact the the part about ssl certificates is the content of the messages field received by the client :
"message"=>;"Nov 26 12:16:33 FRCCEISEPT01 journal: E1126 11:16:33.174102 1 authentication.go:62] Unable to authenticate the request due to an error: [x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"), x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"
The document that should go in logstash-syslog-hp-* are fine and works, but the index system-hp-* where filebeat client 6.4 should be indexed doesn't work no index created no document .
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.