ELK LDAP log filtering
Question
Two things: Our logs look like this -
May 11 06:51:31 ldap slapd[6694]: conn=1574001 op=1 SRCH base="cn=s_02,ou=users,o=meta" scope=0 deref=0 filter="(...)"
I need to 1) take the time stamp and set it to the left column "time" in Kibana's discover panel and 2) take the number after connection and make it a field so as to be able to order them by number. I've spent all day researching and date and mutate seem promising, but I haven't been able to get them correctly implemented. The config file looks like this:
input { file { path => "/Desktop/logs/*.log" type => "log" sincedb_path => "/dev/null" } } output { elasticsearch { hosts => "127.0.0.1" index => "logstash-%{type}-%{+YYYY.MM.dd}" } file { path => "/home/logsOut/%{type}.%{+yyyy.MM.dd.HH.mm}" } }
1 answers
solution1
0 2016-05-19 19:48:45
If you only need these two as seperate fields:
filter {
grok {
match => {
"message" => [ "%{SYSLOGBASE} conn=%{INT:conn}" ]
}
}
date {
match => [ "timestamp", "MMM dd HH:mm:ss" ]
target => "time"
}
mutate {
convert => { "conn" => "integer" }
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Integration between ELK and LDAP
ELK - Filtering data with Logstash
Apple System Log to ELK
Application log files to ELK
ELK apache spark application log
Log storage location ELK stack
Log report software for ELK stack
Configuration ELK + log4j
ELK stack for non http log
Log inactivity monitoring in ELK stack
Related Tags