@timestamp not match with the log date

Riyanka · January 26, 2021, 7:14pm

The timestamp does not match with the actual log time in kibana
@timestamp January 26th 2021, 23:38:10.426
message [2021-01-22 09:53:09] php.CRITICAL: Uncaught Error: Call to a member function getName() on null {"exception":"[object] (Error(code: 0): Call to a member function getName() on null at /var/www/html/vendor/bundles/AdminBundle/Controller/AdminController.php:78)"}
Below is my logstash configuration
input {
beats {
port => "5044"
ssl => false
}
}
filter {
date {
match => [ "message" , "yyyy-MM-dd HH:mm:ss" ]
target => "@timestamp"
locale => "en"
timezone => "GMT"
}
Could you please help me with the configurations.

Sample log:[2021-01-22 09:53:09] php.CRITICAL: Uncaught Error: Call to a member function getName() on null {"exception":"[object] (Error(code: 0): Call to a member function getName() on null at /var/www/html/vendor/bundles/AdminBundle/Controller/AdminController.php:78)"}

Badger · January 26, 2021, 8:58pm

The pattern in the date filter has to match the entire contents of the field that you pass it, so you will need to extract the date from [message]. You could try

dissect { mapping => { "message" => "%{}[%{[@metadata][date]}]%{}" } }
date { match => [ "[@metadata][date]", "yyyy-MM-dd HH:mm:ss" ] }

Riyanka · January 27, 2021, 12:15pm

Hi Badger
Thank you for the quick reply i am getting this below error now while running logstash
[WARN ] 2021-01-27 12:10:57.688 [nioEventLoopGroup-2-10] DefaultChannelPipeline - An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 69

This is my beats configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /root/prod.log
output.logstash:
hosts: ["localhost:5044"]

And this my logstash configuration
input {
beats {
port => "5044"
ssl => false
}
}
filter {
grok {
match => { "message" => "[%{TIMESTAMP_ISO8601:timestamp}]{0,1}%{GREEDYDATA:Message}" }
}
dissect {
mapping => { "message" => "%{}[%{[@metadata][date]}]%{}" }
}
date {
match => [ "[@metadata][date]", "yyyy-MM-dd HH:mm:ss" ]
}
}

Could you please help on this

Badger · January 27, 2021, 4:46pm

Generally this means that something that is not speaking the beats protocol is connecting to the input. Amongst the possible causes are:

A beat with SSL enabled connecting to a beat input with SSL disabled
A beat with SSL disabled connecting to a beat input with SSL enabled
A port scanner (on the public internet you can be certain that folks are port scanning you, on a corporate network this may also happen)
Someone else trying to use the same port

system · February 24, 2021, 4:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.