My filebeat config
filebeat.inputs:
- type: log
enabled: true
json.keys_under_root: true
json.overwrite_keys: true
json.message_key: log
paths:
- /var/log/vault_audit.log
fields:
type: audit
fields_under_root: true
- type: log
enabled: true
paths:
- /var/log/vault_lease.log
fields:
type: lease
fields_under_root: true
output.logstash:
enabled: true
hosts:
- "<example.com>:5045"
ssl.enabled: true
worker: 2
loadbalance: true
My Logstash Config
input { beats { port => 5045 } } filter { #/var/log/vault_lease.log if [type] == "lease" { grok { match => { "message" =>"%{NOTSPACE:timestamp} \[%{LOGLEVEL:loglevel}\]%{DATA:raw_data}:%{GREEDYDATA:message}" } } } #/var/log/vault_audit.log if [type] == "audit" { date { match => ["time", "yyyy-MM-dd HH:mm:ss,SSS", "yyyy-MM-dd HH:mm:ss", "ISO8601"] target => "@timestamp" remove_field => "time" tag_on_failure => [ "_dateparsefailure" ] } } } output { if [type] == "audit" { elasticsearch { hosts => ["<example.com>:9200"] index => "vault-audit-%{[@metadata][version]}-%{+YYYY.MM.dd}" } } if [type] == "lease" { elasticsearch { hosts => ["<example.com>:9200"] index => "vault-lease-%{[@metadata][version]}-%{+YYYY.MM.dd}" } } }
My /var/log/vault_audit.log
{"time":"2019-10-29T20:47:14.815642694Z","type":"request","auth":{"client_token":"hmac-sha256:6916e7410a073286e8c9a7b05a53b5117014a5641ad92ed7aa08b8af12fa6ebe","accessor":"hmac-sha256:864a6b3a596eb4118035fc1f40ba806f9b4c666004c0c43f92652b171a0b1101","display_name":"root","policies":["root"],"token_policies":["root"],"token_type":"service"},"request":{"id":"f4adc254-c463-7d65-5a09-9385efbf2b32","operation":"read","client_token":"hmac-sha256:6916e7410a073286e8c9a7b05a53b5117014a5641ad92ed7aa08b8af12fa6ebe","client_token_accessor":"hmac-sha256:864a6b3a596eb4118035fc1f40ba806f9b4c666004c0c43f92652b171a0b1101","namespace":{"id":"root"},"path":"sys/mounts","remote_address":"96.112.245.168"}}
My /var/log/vault_lease.log
2019-10-25T22:24:01.481Z [INFO] expiration: revoked lease: lease_id=auth/<abc>/login/abcbabacbadbadbadbadbabdchbajndsadbnnvcxbcxvbasdnlasadbasdjsadfbkabcbabacbadbadbadbadbabdchbajndsadbnnvcxbcxvbasdnlasadbasdjsadfbk 2019-10-25T22:24:16.360Z [INFO] expiration: revoked lease: lease_id=auth/<abc>/login/abcbabacbadbadbadbadbabdchbajndsadbnnvcxbcxvbasdnlasadbasdjsadfbkabcbabacbadbadbadbadbabdchbajndsadbnnvcxbcxvbasdnlasadbasdjsadfbk
The problem here is it doesnt create index with name "vault-lease-*" in elasticsearch and also let me know if this is the correct configuration ?Preformatted text