Test on beat version doesn't work

Yilmaz_Cam · November 26, 2018, 10:42am

Hello
Currently i have 2 versions of beat on my infra 5.5 and 6.4, my logstash version is 5.6 so compatible with beat client 5.5 and 6.4.
I try to detect the beat version of the document and redirect it to correct output. My document in 6.4 doesn't index in elasticsearch but 5.5 works .
if [beat][version] == "6.4.2" {
elasticsearch {
hosts => ["172.18.3.192:9200", "172.18.3.191:9200"]
ssl => true
ssl_certificate_verification => false
index => "logstash-syslog-hp-v6-%{+YYYY.MM}"
user => "xxxx"
password => "xxxx"
}
}
else {
elasticsearch {
hosts => ["172.18.3.192:9200", "172.18.3.191:9200"]
ssl => true
ssl_certificate_verification => false
index => "logstash-syslog-hp-%{+YYYY.MM}"
user => "xxxxx"
password => "xxxxx"
}
}

Thanks in advance for your help i tried everything .

Eniqmatic · November 26, 2018, 10:59am

Try this

if [beat][version] == 6.4.2 {

Yilmaz_Cam · November 26, 2018, 11:08am

Hello
Thanks for your fast reply, I tried but doesn't work. I wonder if the [beat][version] is correct, on elastic site they say [@metadata] [version] to access to beat version but it doesn't work too. I tried [@metadata][version] or [@metadata][beat][version] or [beat][version] , nothing work

Eniqmatic · November 26, 2018, 11:11am

Can you try this:

if "6.4.2" in [beat][version] {

Yilmaz_Cam · November 29, 2018, 10:18am

same issue .
bellow the output received by logstash :
[2018-11-26T12:17:07,378][DEBUG][logstash.pipeline ] output received {"event"=>{"appli_hostname"=>"FRCCEISEPT01", "syslog_severity_code"=>5, "offset"=>217996292, "syslog_facility"=>"user-level", "project"=>"infra", "syslog_facility_code"=>1, "source"=>"/var/log/messages", "message"=>"Nov 26 12:16:33 FRCCEISEPT01 journal: E1126 11:16:33.174102 1 authentication.go:62] Unable to authenticate the request due to an error: [x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"), x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]", "env"=>"TST", "type"=>"log", "syslog_severity"=>"notice", "tags"=>["beats_input_codec_plain_applied", "v6"], "appli_timestamp"=>"Nov 26 12:16:33", "received_from"=>"{"name":"FRCCEISEPT01"}", "@timestamp"=>2018-11-26T11:16:33.000Z, "int1"=>1, "appli"=>["syslog", "syslog"], "appli_message"=>"E1126 11:16:33.174102 1 authentication.go:62] Unable to authenticate the request due to an error: [x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"), x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")]", "received_at"=>"2018-11-26T11:16:34.101Z", "@version"=>"1", "beat"=>{"name"=>"FRCCEISEPT01", "hostname"=>"FRCCEISEPT01", "version"=>"6.4.2"}, "host"=>{"name"=>"FRCCEISEPT01"}, "appli_program"=>"journal"}}

Eniqmatic · November 29, 2018, 10:39am

That's not the same issue, please read the error message, it does not like your certificate!

Yilmaz_Cam · November 29, 2018, 10:59am

Hi in fact the the part about ssl certificates is the content of the messages field received by the client :

"message"=>;"Nov 26 12:16:33 FRCCEISEPT01 journal: E1126 11:16:33.174102 1 authentication.go:62] Unable to authenticate the request due to an error: [x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"), x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes"

Eniqmatic · November 29, 2018, 11:20am

My apologies!

Can you please post your full config?

Yilmaz_Cam · November 30, 2018, 4:20pm

Sorry for late reply,
- filebeat client 6.4
filebeat.yml :
filebeat:
registry_file: /var/lib/filebeat/registry
config_dir: /etc/filebeat/conf.d
prospectors:
-
paths:
- /var/log/messages
- /var/log/secure
input_type: log
fields_under_root: true
fields:
project: infra
env: TST
appli: syslog
document_type: syslog
force_close_files: true

output:
logstash:
hosts: ["XXXXX:5044", "XXXXXXXX:5044"]
loadbalance: false
enable: true
ssl:
certificate_authorities: ["/etc/filebeat/logstash.crt"]
verification_mode: "none"

shipper:
logging:
level: error
to_syslog: false
to_files: true
files:
path: /var/log/filebeat
name: filebeat.log
rotateeverybytes: 99999999999
keepfiles: 2

**Logstash server 5.6 **
- config file :
input {
beats {
port => 5044
type => "log"
ssl => true
ssl_certificate => "/etc/logstash/logstash.crt"
ssl_key => "/etc/logstash/logstash.key"
ssl_verify_mode => "none"
}
}

filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:appli_timestamp} %{SYSLOGHOST:appli_hostname} %{DATA:appli_program}(?:[%{POSINT:appli_pid}])?: %{GREEDYDATA:appli_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
tag_on_failure => ["soucis-grok"]
}
}
output {
if [@metadata][version] == "6.4.2" {
elasticsearch {
hosts => ["XXXXX:9200", "XXXX:9200"]
ssl => true
ssl_certificate_verification => false
index => "system-hp-%{+YYYY.MM}"
user => "XXXX"
password => "XXXX"
}
}
else {
elasticsearch {
hosts => ["172.18.3.192:9200", "172.18.3.191:9200"]
ssl => true
ssl_certificate_verification => false
index => "logstash-syslog-hp-%{+YYYY.MM}"
user => "XXX"
password => "XXX"
}
}
}
template file on elastic (5.6)
{
"system-hp": {
"order": 0,
"version": 50001,
"template": "system-hp-",
"settings": {
"index": {
"number_of_shards": "3",
"refresh_interval": "5s"
}
},
"mappings": {
"default": {
"dynamic_templates": [
{
"message_field": {
"path_match": "message",
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false
}
}
},
{
"string_fields": {
"match": "",
"match_mapping_type": "string",
"mapping": {
"type": "text",
"norms": false,
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
}
],
"properties": {
"@timestamp": {
"type": "date"
},
"@version": {
"type": "keyword"
}
}
}
},
"aliases": {}
}
}

The document that should go in logstash-syslog-hp-* are fine and works, but the index system-hp-* where filebeat client 6.4 should be indexed doesn't work no index created no document .

system · December 28, 2018, 4:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to filter beat data by version on logstash? Logstash	3	629	August 22, 2020
Logstash index setting now requires version Beats filebeat	5	880	April 8, 2018
%{[@metadata][version]} not being rendered Logstash	1	416	December 26, 2017
Get %{[@metadata][beat]}-%{[@metadata][version]} index Beats	5	3257	December 26, 2017
Version-specific beats index template for every update required? Beats filebeat , winlogbeat , auditbeat	1	446	January 18, 2022

Test on beat version doesn't work

Related topics