Before I start I have to warn you that i'm French and my English is kind limited.
I just started with ELK but I want to so something like this :
host A --> logs --
LANA |
--> rsyslog server --> input logstash syslog --> filter cidr ( tag according to the source network of the log ) --> output : if tag lanA, put it in index LANA, else if tag lanB, put it in index LANB, else stdout --> elasticsearch
host B --> logs--|
LANB
the cidr filter for logstash should check the source network, and tag the log with a specific term according to the source log but it's not working ... Is someone already try this filter with this function ?
But all logs which provides from hosts on network 192.168.0.0/24 and 172.16.0.0/16 are displayed on stdout.
Did I make mistakes on the syntax ? Is someone already use this plugin to do that ?
Thanks for your help guys.
If I understand, I don't need to use any plugin to check the source network ? I don't find any documentation about that, this is great ! ( Even if it's with regex, which is absolutly not my best skill )
I have try what you said, and my configuration file looks like to that :
No, you don't have to but I'd expect regexp to be slower, less flexible, and less readable.
For sure !
Me neither. Reduce the expressions to narrow things down.
I've try with the /^172.16.0.([0-9]{0,3})/ network, and I still have the same error.
Anyway, If I reduce the expression, how can I manage any network with a non conventionnal netmask ? In my tests, the 172.16.0.0 network has a /16 netmask, and in my final environment I got all kind of netmask.
About what you said about the address option, I have too many host to check them one by one, that's why I try to manage them by they're network.
finaly, thanks for the documentation. I've already seen it but there is not much explaination about the regex
About what you said about the address option, I have too many host to check them one by one, that's why I try to manage them by they're network.
But surely your events have a field containing the IP address you want to check against the CIDR pattern? In what you posted above the field appears to be named network.
That's why I wanted to use the cidr plugin. As I understand, this plugin check the host field and compare it with the network I indicate in the option.
By using regex, I thinks this is the same process but I can't be sure for the moment.
thanks for the example.
But you're right, the host field return the hostname and not the ip address. So Logstash can't find the source of the logs because I don't have any DNS server for my tries.
I will setting up a DNS server in my test network and I tell you back.
Well, I just noticed I just need to the hostname and the IPaddress of each hosts of my lan in /etc/hosts to resolving they're name.
[[main]>worker0] WARN logstash.filters.cidr - Invalid IP address, skipping {:address=>"%{host}", :event=>2017-01-27T14:00:40.894Z rsyslog Server listening on 0.0.0.0 port
If I understand, it try to interprat "%{host}" as a hostname ?
If I understand, it try to interprat "%{host}" as a hostname ?
It tries to expand %{host} into the contents of the host field, but the event in question apparently doesn't have such a field so it leaves the string alone.
Ok, thanks for those explainations.
But as we discusting with magnusbaeck, Host fields are seems to be filled with hostnames and no with IP address.
This problem can be resolve with a reverse DNS but in any case, logstash have to resolve somethinks.
This is the containt of one of log which arrive :
I don't know much about Rsyslog, but what I do this:
Device sends it's log messages to a syslog-ng listener, who then forwards its up to a port that Logstash is listening on. I have syslog-ng NOT parse the message, which then captures the entire log message and appends the host IP to the header.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.