Unix socket input with stdout

Lubomir_Bielik · August 8, 2018, 1:27pm

Hello,

I am new to Logstash, but I would like to use its capability of unix socket input, which comes very handy.

I have a program sending data to unix socket, i have that socket tested and i am 100% sure, that data are being sent there. I would like to retrieve these sockets with Logstash and for now just output them on stdout.

I have installed Logstash 6.3.2 from repository, running as service. My logstash.conf file in /etc/logstash/conf.d looks like this:

input {
  unix {
    id => "snort_socket"
    mode => "server"
    path => "/var/log/snort/snort_alert"
    }
  syslog {
    debug => true
  }
}

output {
    codec => rubydebug
    stdout{}
}

However I see no output. On the internet, I found that I will be able to see stdout with
journalctl -u logstash
but no luck so far.

Any help is appreciated.

Lubomir_Bielik · August 8, 2018, 2:05pm

I found some of my errors in logstash.conf, and corrected them. Now it looks like this:

input {
  unix {
    id => "snort_socket"
    mode => "client"
    path => "/var/log/snort/snort_alert"
    }
}

output {
    stdout{
    codec => rubydebug
    }
}

Unfortunately, I am getting these warning messages, even if socket is there, and i can output it with perl script.
[2018-08-08T16:03:49,466][WARN ][logstash.inputs.unix ] Socket not present, wait for seconds for socket to appear {:client=>"/var/log/snort/snort_alert"}

Badger · August 8, 2018, 2:18pm

File.socket?("/var/log/snort/snort_alert") is returning false. What does "ls -l /var/log/snort/snort_alert" say?

Lubomir_Bielik · August 9, 2018, 1:42pm

I have altered the file after some tries to

input {
  stdin { }
  unix {
    id => "snort_socket"
    mode => "server"
    path => "/var/log/snort/snort_alert"
    }
}

filter {
    mutate {
        convert => {
            "pkt_num" => "integer"
            "pkt_len" => "integer"
            "src_port" => "integer"
            "dst_port" => "integer"
            "priority" => "integer"
        }
        gsub => ["timestamp", "\d{3}$", ""]
    }
    date {
        match => [ "timestamp", "yy/MM/dd-HH:mm:ss.SSS" ]
    }
    geoip { source => "src_addr" }
}


output {
    elasticsearch {
        hosts => "192.168.10.148:9200"
        index => "logstash_snort"
    }
    stdout { }
}

and made it work. It can receive unix socket calls on the specified address, and passes them to Elastic search. Problems on Logstash side is solved out for now, now I have to take a look at Snort.

system · September 6, 2018, 1:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.