Versioner sammenlignet

Gammel version 5

changes.mady.by.user Normann P. Nielsen

Gemt på

sammenlignet med

Ny version 6

changes.mady.by.user Normann P. Nielsen

Gemt på

Nøgle

  • Linjen blev tilføjet.
  • Denne linje blev fjernet.
  • Formatering blev ændret.

...

As my "pingtime" is a value I want to visualize and use for an Y-Axis, it must be numeric - hence the mutate to a float:

Image Added

Drop something

...

Kodeblok
if [DST] == "8.8.8.8"
{
  drop {}
}

Adding fields/

...

metadata

FRom the syslog, I would like to add an owner of the Source (Identified by Source IP "SRC") and a Device (also identified by Source IP "SRC")

...

These metadata give me a possibility to Visualize traffic by IPOwner:

 

 

Trobleshooting

Cant send data to Elasticsearch - Elasticsearch wont recieve

My Elasticseach was dowm see - 

Kodeblok
 

 

Can send data to Elasticsearch - Congestion

The logs /var/log/logstash/logstash.log shows:

Kodeblok
{:timestamp=>"2016-04-08T08:32:32.217000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:32.721000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:33.232000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:33.733000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:34.282000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:34.783000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}

I have seen this twice, the first time setting congestion_threshold in the beats input to more than 5 (I use 25) - https://github.com/elastic/logstash/issues/4368 - helpedSecond time, the Elastichsearch really did not accept any input, see

Kodeblok
input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
    congestion_threshold => 25
  }
}

And restart logstash