Logstash

[melani morales]

Hello, I have alerts that the message is displayed all together. (Image) I don't know much about config.

ccc.PNG

I know where this change is being made. In global configuration through filters. I don't know how to program it

Thanks!

[cdienger]

Are these pfsense logs? I recently answered a question about filtering them here - https://support.nagios.com/forum/viewto ... 38&t=60444.

[melani morales]

Thank you!

I don't understand the error


{: timestamp => "2020-11-24T14: 54: 26.472000-0300",: message => "La configuración proporcionada no es válida. Motivo: se esperaba uno de #, => en la línea 98, columna 48 (byte 2296) después filter {\ n if [program] == 'apache_access' {\ n grok {\ n match => ['message', '% {COMBINEDAPACHELOG}'] \ n} \ n date {\ n match => ['timestamp ',' dd / MMM / aaaa: HH: mm: ss Z ',' MMM d HH: mm: ss ',' MMM dd HH: mm: ss ',' ISO8601 '] \ n} \ n mutate {\ n reemplazar => ['tipo', 'apache_access'] \ n convertir => ['bytes', 'integer'] \ n convertir => ['respuesta', 'integer'] \ n} \ n} \ n \ n if [program] == 'apache_error' {\ n grok {\ n match => ['message', '\\ [(? <timestamp>% {DAY: day}% {MONTH: month}% {MONTHDAY}% {HORA}% {AÑO}) \\] \\ [% {WORD: class} \\] \\ [% {WORD: originator}% {IP: clientip} \\]% {GREEDYDATA: errmsg} '] \ n} \ n mutate {\ n replace => ['type', 'apache_error'] \ n} \ n} \ n if [program] == ' xi_auditlog '{\ n grok {\ n match => [' mensaje ','% {XIAUDITLOG_MESSAGE} '] \ n patterns_dir =>' / usr / local / nagioslogserver / etc / patterns '\ n sobreescritura => [' mensaje ' ] \ n} \ n fecha {\ n coincidencia => ['marca de tiempo', 'aaaa-MM-dd HH: mm: ss'] \ n} \ n mutar {\ n reemplazar => ['tipo', 'xi_auditlog '] \ n} \ n} \ n if [type] ==' pfsense '{\ n grok {\ n patterns_dir =>' / usr / local / nagioslogserver / etc / patterns '\ n match => {\ "mensaje \ "=> \"% {SYSLOG5424PRI}% {CISCOTIMESTAMP} registro de filtros:% {PFSENSE_LOG_DATA}% {PFSENSE_IP_SPECIFIC_DATA}% {PFSENSE_IP_DATA}% {PFSENSE_PROTOCOL_DATA}> \ "\ n PFS_ENSE: fatal:

[cdienger]

There's an error in the configuration. It looks like part of the match line may be missing. The complete filter should look like:

Code: Select all

if [type] == 'pfsense' {
grok {
patterns_dir => '/usr/local/nagioslogserver/etc/patterns'
        match => { "message" => "%{SYSLOG5424PRI}%{CISCOTIMESTAMP} filterlog: %{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}" }
      }
}

[melani morales]

52/5000
put that same, and I keep getting this error


{:timestamp=>"2020-11-25T15:04:44.360000-0300", :message=>"The given configuration is invalid. Reason: Expected one of #, else, if, \", ', } at line 143, column 1 (byte 1834) after filter {\n if [type] == 'pfsense' {\n grok {\n patterns_dir => '/usr/local/nagioslogserver/etc/patterns'\n match => { \"message\" => \"%{SYSLOG5424PRI}%{CISCOTIMESTAMP} filterlog: %{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}\" }\n }\n}\n\n#\n# Local filters\n#\n\n\n\n\n\n# \n# Logstash Configuration File\n# Dynamically created by Nagios Log Server\n#\n# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.\n#\n# Created Wed, 25 Nov 2020 15:03:12 -0300\n#\n\n#\n# Global livealert_filters\n#\n\n\n\n#\n# Local livealert_filters\n#\n\n\n\n\n\n# \n# Logstash Configuration File\n# Dynamically created by Nagios Log Server\n#\n# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.\n#\n# Created Wed, 25 Nov 2020 15:03:12 -0300\n#\n\n#\n# Global livealert_outputs\n#\n\n\n\n#\n# Local livealert_outputs\n#\n\n\n\n\n\n# \n# Logstash Configuration File\n# Dynamically created by Nagios Log Server\n#\n# DO NOT EDIT THIS FILE. IT WILL BE OVERWRITTEN.\n#\n# Created Wed, 25 Nov 2020 15:03:12 -0300\n#\n\n#\n# Global outputs\n#\n\n\n\n#\n# Local outputs\n#\n\n\n\n\n\n", :level=>:fatal}

[cdienger]

Does your filter look like the one in the screenshot?