#logstash

scameron, what are you getting vs what you're expecting

?

So we are having issues getting logstash-forwarder working. I think we have run into the go 1.3 TLS issue with our certs and we are using IP's in the server list. Is there any good documentation that explains a process to set it up and connect it to Logstash?

jarsever, what are you seeing that makes you think it's the go1.3 issue?

I guess it could be different... 1 sec

rastro: http://i.imgur.com/IGbRBYW.png

for the “host” field, I have the short hostname. i’d like to have the FQDN.

I run logstash on each system and output to rabbitmq

2014/09/30 10:44:44.176093 Connecting to 10.129.20.14:5043

2014/09/30 10:44:44.207688 Failed to tls handshake with 10.129.20.14:5043 EOF

rastro:

scameron, and running 'hostname' on the server returns the short name?

right

and you don't want to fix it there?

i was hoping i could do something like mutate {} on the host field

but if adjusting it at a system level is required, that’s okay

does anyone here know how I can get the full fqdn to be used on events instead of just the short hostname?

mg-al: it's often a matter of how your OS/distro displays the info :/

what shipper/distro are you using?

I've tried adding "$PreserveFQDN on" in the rsyslog.conf config but that doesn't seem to do it

ah, rsyslog

deb/ubuntu?

scameron, you could look it up with dns, or append it if it's a static string. http://logstash.net/docs/1.4.2/filters/dns

Title: logstash - open source log management (at logstash.net)

we're using Debian 7.6

jarserver: have you seen this? it worked for me. https://github.com/driskell/log-courier/blob/de...

<http://tinyurl.com/moecpl4>; (at github.com)

mg-al: try the first suggestion here: http://serverfault.com/questions/274625/how-do-...

<http://tinyurl.com/mrfryvd>; (at serverfault.com)

has anyone out there been able to get omhiredis (in rsyslog) going to buffer full log messages for ingestion by logstash?

^jarsever^

is there any thorough documentation on the glob support?

* of logstash-forwarder

gchristensen: not that I know of, what are you wondering?

I want to include *.log.[numeric] but exclude *.log.gz

This worked: https://github.com/elasticsearch/logstash-forwa...

<http://tinyurl.com/kc6kdzp>; (at github.com)

we just needed the 'subjectAltName' in a config

gchristensen: hmmm, not sure about that one. LSF currently lacks an "exclude" type setting, and I don't think go's globs let you do what you're after

jarsever, the go script is stand-alone, so you don't have to build a config. glad it worked out.

torrancew: exactly, some silly application's logging is ... leaving things to be desired, but I have to support it. unfortunately.

gchristensen: you could perhaps set up a cron/logrotate job to mvoe *.log.[number] to *.log.[number].log or somethign silly

and then rely on a single *.log glob

Hi I am setting up a input for rabbitmq and I want to connect to a remote host can I just use the name of the machine i.e. DEV-HOST

torrancew: aye, thank you for the tip

rastro: Yeah, I saw that one too. We'll have to figure out which method works best with chef. thanks for the help. :)

not sure what options there are for handling *very* chatty single inputs beyond using something as a MQ within rsyslog, and then parallelizing inputs in Logstash.

gchristiansen, if it's the go glob, here's the doc: http://golang.org/pkg/path/filepath/#Match

Title: filepath - The Go Programming Language (at golang.org)

i have a single log source (networking hardware forwarding syslog to collector rsyslog), and haven't been able to get Logstash to keep up with the volume.

log tailing falls behind horribly (obviously), and tokenizing to JSON (in rsyslog) and forwarding event to local UDP socket lags as well.

rastro: that looks promising, thank you

np

Any ideas? I’m going crazy trying to search my ELK stack for shellshock attempts. No matter how I escape the special characters, I can’t get elasticsearch to return results. e.g. looking for strings such as () or :;

Hi I am setting up a input for rabbitmq and I want to connect to a remote host can I just use the name of the machine i.e. DEV-HOST

coryz, are you searching across not_analyzed fields?

CoryZ: have you tried quoting them?

The characters are in the message field. I can see them if I search for other strings in individual attempts.

have tried quotes, regex, backslash, etc. am down to attempting to figure it out using curl and taking kibana out of the mix.

message fields look something like: {"message":"209.126.230.72 - - [24/Sep/2014:21:59:30 -0500] \"GET / HTTP/1.0\" 301 348 \"() { :; }; ping -c

coryz, and how is the message field being analyzed?

CoryZ: try searching against message.raw, perhaps?

curl -XGET 'http://localhost:9200/_search?q=message:\(\)'

apache logs -> logstash forwarder -> elasticsearch — not much analysis on the logstash side of things

as this seems to be the most active of the ELK channels...has anyone used this by any chance? https://github.com/salyh/elasticsearch-security...

<http://tinyurl.com/lcdzkfy>; (at github.com)

CoryZ: you'll have to do a regexp query probably on the message.raw field or similar.

cully: for starters, it has no license, for use or distribution, so I don't know what to tell you about that.

oh heh :-/

yeah - that's a great point

whack: any thoughts on segregating user data? We have some higher security type data that would be awesome for ES that some users are not auth'd for

I realize it's a hard problem to solve

cully: It's getting easier

I'm deploying a TLS mutual auth solution this week, built solely on nginx proxies

torrancew: oh? I admit I may be working off of slightly dated info

well, the "hard" part was always creating the filtered aliases in ES (are you familiar with that concept?)

yes, I've read on the ES site about it

There is lots of suggestions (and alternative option) here :: https://github.com/coolacid/elasticsearch-proxy

Title: coolacid/elasticsearch-proxy · GitHub (at github.com)

newer versions of ES can automate that in index templates, though, so that makes the rest of it fairly simple

coolacid: I had that open a while back and then lost it - I"ve been looking for it!