#logstash

what do you want to know about them

do you want a list?

I am doing that filtering on my syslog that I am sending to logstash

but if I do like a pie chart for country code hits or something

I would like it to be unique hits, not if the same IP goes to the website 1000x times

(not sure if that functionality is built in or configurable)

so figured I would ask the experts

Good day. We're running Logstash 1.4.0 and we hit issue LOGSTASH-2055. We were wondering if there's an ETA on when 1.4.1 will be released. Any ideas?

Jira issue [LOGSTASH-2055] Log4j input not working - logstash.jira.com - https://logstash.jira.com/browse/LOGSTASH-2055

that's a handy feature

Hey All, any suggestions for how to use logstash? I’m debating between sending ALL logs to logstash and filtering with kibana vs only sending select information to the logstash server. Which model do most people use?

spuder: I

I'd advise starting small and getting the grokking right before you grow how many logfiles it manages

I’ve got 1 machine sending the entire auth, and apache logs to logstash. I plan on adding about 30 other machines. Do you filter before or after the logs go out?

spuder: you can decide on that really, in my design I filtered on the shipping instance

hey everybody, could someone possibly suggest a shipper that can ship entire log files to logstash? I have lumberjack set up right now but I don't believe it can send logs that have already been written.

waltertv: I think you can pipe the preexiting files into logstash-forwarder for the initial shipping (cat log | logstash-forwarder ...)

waltertv: but I haven't used logstash-forwarder much

thanks attractiveape, I didn't think of just directly sending it in

waltertv: let me know if that works, glad to help

What would a grok pattern look like for when a user ssh-es into a machine?

spuder: wouldn't that be in /var/log/auth.log ?

yes, but I don’t want every line in the auth.log, just when a user connects

spuder: so I guess something to capture this line? : "sshd[19650]: pam_unix(sshd:session): session opened for user vagrant by (uid=0)"

spuder: I can't help now, but if you're around in a few hours, we could talk

This is the line I’m trying to write a grok pattern for. Surely I’m not the first person to try and write it.

May 1 16:25:23 foosball sshd[24657]: Accepted publickey for sowen from 10.1.5.33 port 63462 ssh2

thanks shoerain, I’ll follow up later

coolacid: you've got a neat set of examples in your gettingstartedwithELK

shoerain: send link

zquad: are you asking for https://github.com/coolacid/GettingStartedWithELK ?

Title: coolacid/GettingStartedWithELK · GitHub (at github.com)

coolacid/GettingStartedWithELK

ignore that :)

afternoon everyone

in the sysV init.d script what process is the startup script looking for to get the java command?

Hi All, any idea why I am getting "load error: win32ole/win32ole -- java.lang.UnsatisfiedLinkError:"?

JscoLP: it looks like windows OLE doesn't like something in the logstash library

or the jruby library

Hi, I'm getting an error from elasticsearch about 'failed to start shard/failed to recover shard' and am wondering if anyone can recommend what I can do to fix it? Full log at http://pastebin.com/gc5Ru415 - Thx :)

Title: [2014-05-01 10:36:41,064][WARN ][cluster.action.shard ] [Strongarm] [logstas - Pastebin.com (at pastebin.com)

ggl: I am running a basic install on fresh ubuntu 12.04 x64. I am trying to use the eventlog plugin, and have installed the contribs as per the install guide

Is the current logstash-event gem v1.2.02 compatible with 1.4.x or 1.3.x?