Versioner sammenlignet

Gammel version 6

changes.mady.by.user Normann P. Nielsen

Gemt på

sammenlignet med

Ny version Nuværende

changes.mady.by.user Normann P. Nielsen

Gemt på

Nøgle

  • Linjen blev tilføjet.
  • Denne linje blev fjernet.
  • Formatering blev ændret.

...

As my "pingtime" is a value I want to visualize and use for an Y-Axis, it must be numeric - hence the mutate to a float:

Image Modified

Drop something

...

Kodeblok
if [DST] == "8.8.8.8"
{
  drop {}
}

Adding fields/metadata

FRom From the syslogRouter Syslog, I would like to add an owner and device of the Source (Identified by Source IP "SRC") and a Device (also identified by Source IP "SRC") - I have static IP's for the devices:

Kodeblok
if [SRC] == "10.0.0.102" {
  mutate
  {
    add_field => { "IPOwner" => "Toke" "Device" => "iPad" }
  }
}
...
...
if [SRC] == "10.0.0.109" {
  mutate
  {
    add_field => { "IPOwner" => "Christopher" "Device" => "Laptop LAN" }
  }
}

These metadata give me a possibility to Visualize traffic by IPOwner:

Image Modified

 

 

Trobleshooting

Cant send data to Elasticsearch - Elasticsearch wont recieve

My Elasticseach was dowm see - 

Kodeblok
 

The /var/log/logstash/logstash.log shows:

Kodeblok
{:timestamp=>"2016-04-08T08:32:32.217000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:32.721000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:33.232000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:33.733000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:34.282000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}
{:timestamp=>"2016-04-08T08:32:34.783000+0200", :message=>"Beats input: the pipeline is blocked, temporary refusing new connection.", :reconnect_backoff_sleep=>0.5, :level=>:warn}

My Elasticseach was down - status "red":

Kodeblok
curl localhost:9200/_cluster/health?pretty
{
  "cluster_name" : "moselk",
  "status" : "red",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 421,
  "active_shards" : 421,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 25,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 94.39461883408072
}

See Elasticsearch - Tips and Troubleshooting 

Can send data to Elasticsearch - Congestion

...