Hi,
I setup ELK and Logstash with a Beats input:
input {
beats {
port => 5044
ssl => false
# ssl_certificate => "/etc/pki/tls/certs/logstash-beats.crt"
# ssl_key => "/etc/pki/tls/private/logstash-beats.key"
# codec => syslog
}
}
I experimented with assigning a codec, but this doesn't work. Also the SSL stuff is inactive because this is a test environment.
Now I have filebeat, and I forward logs:
output:
logstash:
enabled: true
hosts:
- elk:5044
# tls:
# certificate_authorities:
# - /etc/pki/tls/certs/logstash-beats.crt
timeout: 15
filebeat:
prospectors:
-
paths:
- /var/log/syslog
- /var/log/auth.log
document_type: syslog
I would like to get fields extracted in Kibana from messages like this:
Mar 15 15:56:30 mjo dnsmasq-dhcp[4818]: DHCPREQUEST(virbr0) 192.168.100.225 52:54:00:d7:47:49
In Kibana the application field (dnsmasq-dhcp) does not get extracted:
Is there an easy way to perform the field extractions to benefit from the visualizations? I would like to use the Beats agent to forward Syslog as well as files, because the integration is central and easy to manage. Of course I can use Rsyslog and forward into Logstash directly, but I'd like to do all the Forwarding with Filebeat here.
Thanks ;),
Marius