Vault audit log issue sending to elasticsearch

Elastic Stack Logstash
1

My filebeat config

filebeat.inputs:
    - type: log
      enabled: true
      json.keys_under_root: true
      json.overwrite_keys: true
      json.message_key: log
      paths:
        - /var/log/vault_audit.log
      fields:
        type: audit
      fields_under_root: true
    - type: log
      enabled: true
      paths:
        - /var/log/vault_lease.log
      fields:
        type: lease
      fields_under_root: true
    output.logstash:
      enabled: true
      hosts:
        - "<example.com>:5045"
      ssl.enabled: true
      worker: 2
      loadbalance: true

My Logstash Config

       input {
              beats {
                port => 5045
              }
            }
            filter {
              #/var/log/vault_lease.log
              if [type] == "lease" {
              grok {
                    match => { "message" =>"%{NOTSPACE:timestamp} \[%{LOGLEVEL:loglevel}\]%{DATA:raw_data}:%{GREEDYDATA:message}" }
                  }
              }
              #/var/log/vault_audit.log
              if [type] == "audit" {
              date {
                      match => ["time", "yyyy-MM-dd HH:mm:ss,SSS", "yyyy-MM-dd HH:mm:ss", "ISO8601"]
                      target => "@timestamp"
                      remove_field => "time"
                      tag_on_failure => [ "_dateparsefailure" ]
                }
              }
            }
            output {
            if [type] == "audit" {
                   elasticsearch {
                      hosts => ["<example.com>:9200"]
                      index => "vault-audit-%{[@metadata][version]}-%{+YYYY.MM.dd}"
                      }
                  }
                if [type] == "lease" {
                  elasticsearch {
                      hosts => ["<example.com>:9200"]
                      index => "vault-lease-%{[@metadata][version]}-%{+YYYY.MM.dd}"
                     }
                 }
           }

My /var/log/vault_audit.log
{"time":"2019-10-29T20:47:14.815642694Z","type":"request","auth":{"client_token":"hmac-sha256:6916e7410a073286e8c9a7b05a53b5117014a5641ad92ed7aa08b8af12fa6ebe","accessor":"hmac-sha256:864a6b3a596eb4118035fc1f40ba806f9b4c666004c0c43f92652b171a0b1101","display_name":"root","policies":["root"],"token_policies":["root"],"token_type":"service"},"request":{"id":"f4adc254-c463-7d65-5a09-9385efbf2b32","operation":"read","client_token":"hmac-sha256:6916e7410a073286e8c9a7b05a53b5117014a5641ad92ed7aa08b8af12fa6ebe","client_token_accessor":"hmac-sha256:864a6b3a596eb4118035fc1f40ba806f9b4c666004c0c43f92652b171a0b1101","namespace":{"id":"root"},"path":"sys/mounts","remote_address":"96.112.245.168"}}

My /var/log/vault_lease.log
2019-10-25T22:24:01.481Z [INFO] expiration: revoked lease: lease_id=auth/<abc>/login/abcbabacbadbadbadbadbabdchbajndsadbnnvcxbcxvbasdnlasadbasdjsadfbkabcbabacbadbadbadbadbabdchbajndsadbnnvcxbcxvbasdnlasadbasdjsadfbk 2019-10-25T22:24:16.360Z [INFO] expiration: revoked lease: lease_id=auth/<abc>/login/abcbabacbadbadbadbadbabdchbajndsadbnnvcxbcxvbasdnlasadbasdjsadfbkabcbabacbadbadbadbadbabdchbajndsadbnnvcxbcxvbasdnlasadbasdjsadfbk

The problem here is it doesnt create index with name "vault-lease-*" in elasticsearch and also let me know if this is the correct configuration ?Preformatted text

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.