Timestamp mapping in CEF

Cabbage · July 27, 2016, 11:52am

Hi! I have a problem with mapping timestamp field.
I have log with events like this

CEF:0|SI|Audit|1.2|SECA0023|Report Started|3|rt=Jul 25 2016 11:20:28 msg=Report RSRZLLG0 Started duser=SYS shost= cs2=000 cs2Label=client destinationServiceName= dproc=RSRZLLG0 cat=AUW
CEF:0|SI|Audit|1.2|SECA0023|Report Started|3|rt=Jul 25 2016 11:24:35 msg=Report RSRZLLG0_ACTUAL Started duser=SYS shost= cs2=000 cs2Label=client destinationServiceName= dproc=RSRZLLG0_ACTUAL cat=AUW

So I use Logstash plugins Cef and Date for analyzyng this.
Logstash configuration file looks like

input {
	stdin { }
	file {
		path => "/home/user/logs/*"
		codec => cef
		start_position => "beginning" } }
filter {
	date {
		match => [ "rt", "MMMM DD YYYY HH:mm:ss" ]
		target => [ "rt"] } }
output {
	elasticsearch {
		hosts => ["172.16.2.123:9200"]
		index => "test" } }

It sends events Elastic but, I can't choose the filed "rt" as timestamp field in Kibana.
So the question is - What I'm doing wrong? Thank you.

P.S. In Kibana all extension part fields (rt, cat, msg) extracted like cef_ext.rt, cef_ext.cat, cef_ext.msg

magnusbaeck · July 30, 2016, 9:27am

What's the contents of the rt field? What's the mapping of that field? Use Elasticsearch's get mapping API.