Updating data doubles and then triples the hit count on kibana

tinamina12 · July 9, 2019, 5:47am

I am trying to parse logs. whenever new logs are written in input file, the logstash reads the whole log file again and adds them in the exisiting parsed logs. my configuration is below. please guide me what am i doing wrong.

** Configuration **

input {
file {
path => "/home/elk/Desktop/policypermit.log"
start_position => "beginning"
type => 'ppermit'
sincedb_path => '/dev/null'
}
file {
path => "/home/elk/Desktop/policydeny.log"
type => 'pdeny'
start_position => "beginning"
sincedb_path => '/dev/null'
}
}

filter{
if [type] == "pdeny" {
grok {
match => [ "message", "\ USG6300 %%01POLICY/6/POLICYDENY(l):\ vsys=public, protocol=%{WORD:pnum}, source-ip=%{IP:src}, source-port=%{WORD:port}, destination-ip=%{IP:dest}, destination-port=%{WORD:destp}, time=%{GREEDYDATA:timestamp}, source-zone=%{WORD:szone}, destination-zone=%{WORD:dzone}, rule-name=%{GREEDYDATA:rname}" ]

mutate
{
remove_field => [ "message" ]
}
}

else if [type] == "ppermit"{
grok {
match => [ "message", "\ USG6300 %%01POLICY/6/POLICYPERMIT(l):\ vsys=public, protocol=%{WORD:pnum}, source-ip=%{IP:src}, source-port=%{WORD:port}, destination-ip=%{IP:dest}, destination-port=%{WORD:destp}, time=%{GREEDYDATA:timestamp}, source-zone=%{WORD:szone}, destination-zone=%{WORD:dzone}, rule-name=%{GREEDYDATA:rname}" ]

mutate
{
remove_field => [ "message" ]
}

}

output {
if [type] == "pdeny" {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "alog"

}
}
else
{
elasticsearch {
hosts => ["http://localhost:9200"]
index => "blog"

}
}
stdout { codec => rubydebug }
}

Christian_Dahlqvist · July 9, 2019, 5:56am

This means that Logstash will not keep track of what it has read across restarts. Removing this or setting it to a valid path should resolve the problem.

tinamina12 · July 9, 2019, 6:29am

removed it, but still getting the duplicates. is there something to do with start_position?

Christian_Dahlqvist · July 9, 2019, 7:18am

Do you have any other files in the config directory, e.g. older versions? Logstash concatenates all files which means all data will go to all outputs unless conditionals are used.

tinamina12 · July 9, 2019, 9:14am

Nope, no other file. i have tried using fingerprint filter and it seems to solve my problem for now.

system · August 6, 2019, 9:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Duplicated logs from logstash after append logs Logstash	7	2143	July 6, 2017
Duplicate data parsed by Logstash, which cause duplicate data in Elasticsearch index Logstash	5	1617	October 6, 2017
Logstash configuration: filters using GROK different logs from one type of log file Logstash	6	1405	July 6, 2017
Import CSV into Elasticsearch with Logstash issue Logstash	6	1626	May 2, 2018
Two records written by Logstash for each log line Logstash	2	495	September 14, 2017

Updating data doubles and then triples the hit count on kibana

Related topics