Okay, stepping back a bit, what does Auditbeat output show if you configure it to output to file:
https://www.elastic.co/guide/en/beats/auditbeat/current/file-output.html
I'm not familiar with the GCS output, but does changing output_format => "plain"
to output_format => "json"
change anything?
You'll need to configure a syslog input on Logstash. Then you should be able to point your firewall to it and parse it as needed. This page gives you the basics of how a Logstash config should look like.
The documentation seems quite clear to me, and it even has examples https://www.elastic.co/guide/en/logstash/current/plugins-filters-elasticsearch.html
You specify a host to query, a query to send to that host, and if you have a match what fields from elasticsearch you'd like to copy into the current event.
Perhaps you can clarify what part of the filter you don't understand?
Try it without the square brackets?
add_field => { "cef_version" => "%{cef_message[0]}" }
Did you follow this guide? https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-syslog.html
Also is there a reason using logstash in the middle? Is Filebeat not getting syslog or is the handover to logstash failing? What is about the logs? Filebeat usually show whats the issue if it is because of filebeat...
Thank you. Thank you. I had a fundementaly wrong understanding at a conceptual level.
So in other words, LogStash can run in all the remote servers and we can instruct it to send the files to ES, as an example.
I got thrown off by a tutorial and it talked about logstash-forwarder.
The tutorial presents LogStash and logstash-forwarder as two different entities but it does not explain what they do.
If you could clear that part for me, it will end the confusion I have about how this thing works.
I really appreciate it.
PS: This is the tutorial in question I am talking about.
Can you use Filebeat instead? It has a Checkpoint module now:
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-checkpoint.html
It can then output to ElasticSearch directly, or to Logstash if that's still required.
I think you want the Date filter plugin, if I'm understanding what you're asking.
​
Put a filter similar to this after the grok {}
filter
date { match => [ "syslog_timestamp", "MMM dd yyyy HH:mm:ss" ] }
Docs are here: https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
Yes, you need to set a pipeline config file and define input, filter and output directives. In this way, logstash will know what file(s) to monitor, how to read them and what to do in the end. Learn more here => https://www.elastic.co/guide/en/logstash/current/configuration.html
You can try setting <code>ssl_endpoint_identification_algorithm</code> to an empty string:""
This bypasses the TLS verification, so I assume it will also skip the SAN check.
Otherwise you'll need to make sure the hosts/IPs in bootstrap_servers
match what's in the cert's SAN.
You might be better off capturing all the policy IDs with one greedy and then using mutate/split on the field.
Well I was able to follow this installation process, and I was actually able to pull some logs in (like for 2 hours), but then it stopped working and I got frustrated and tried the whole installation proccess via redis. So I essentially got to the point where I want to start over and do it again, but I have installed logstash, elasticsearch, kibana and logstash forwarder. I have also removed them and reinstalled them hoping it would fix thins. :b It's the configuration that is screwing me up since my logs aren't being pulled.
Hello,
I'm using this template to ship rsyslog to logstash via JSON: http://www.freeipa.org/page/Howto/Centralised_Logging_with_Logstash/ElasticSearch/Kibana
After some tinkering i's thinned to:
template(name="ls_json" type="list" option.json="on") { constant(value="{") constant(value="\"@timestamp\":\"") property(name="timegenerated" dateFormat="rfc3339") constant(value="\",\"@version\":\"1") constant(value="\",\"message\":\"") property(name="msg") constant(value="\",\"host\":\"") property(name="fromhost") constant(value="\",\"host_ip\":\"") property(name="fromhost-ip") #constant(value="\",\"logsource\":\"") property(name="fromhost") constant(value="\",\"severity_label\":\"") property(name="syslogseverity-text") #constant(value="\",\"severity\":\"") property(name="syslogseverity") constant(value="\",\"facility_label\":\"") property(name="syslogfacility-text") #constant(value="\",\"facility\":\"") property(name="syslogfacility") constant(value="\",\"program\":\"") property(name="programname") constant(value="\",\"pid\":\"") property(name="procid") constant(value="\",\"syslogtag\":\"") property(name="syslogtag") constant(value="\"}\n") } . @@logstash01.example.com:5500;ls_json
grok { match => { "message" => [ "%{PATTERN1}", "%{PATTERN2}" ] } }
This sounds a bit overcomplicated to me.
If you only want to collect syslog messages on the original host, why not simply forward them to Graylog natively? Most syslog daemons support TLS out-of-the-box and Graylog supports ingesting syslog over TLS. See https://github.com/Graylog2/graylog-guide-syslog-linux#readme for examples.
You could also use the Lumberjack output for Logstash to forward messages over TLS to Graylog (with Beats input).
Your grok pattern looks fine (in the grok debugger it'd be "%{SYSLOGBASE2} %{GREEDYDATA:syslog_message}"), it's your date filter that's off - You don't want to match message, you want to match timestamp8601 against the ISO8601 pattern (reference).
PS: Custom formats are fine in my book as long as you're consistent.
You should stop using type as a way to categorize your logs, its an es special word, and it makes mappings huge. Use another field, like ls_type instead.
Whats probably happening is you are groking the date directly into @timestamp in non-joda format and on inset es wants to make it a string, but that conflicts with other uses of @timestamp. You probably need to pass the time in a different field and do a date match on that field, see https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
now that i think about it - loads of .* regex matches on every line is an extremely inefficient way of extracting data, especially for the speed and verbosity of the typical bro log.
if the json log format isn't possible for some reason, use the csv filter with a separator of \t. you can define field names in the columns setting.
Is there a reason why you're using the raw tcp / udp inputs? Why not use the syslog input?
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-syslog.html
It's not a direct answer to your question, but it might be that oyur grok filter doesn't quite match, causing the data to be recorded in such a way that you can't find it.