DevOps Classroomnotes 18/Dec/2022

Logstash Grok Patterns with Regular expressions

• Regex Cheatsheet Refer Here
• Grok Debugger Refer Here
• Sample logs github Refer Here
• Sample grok patterns
  
  
  
• Consider the following log

Jun 14 15:16:01 combo sshd(pam_unix)[19939]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=218.188.2.4

log_date = Jun 14 15:16:01
process_name = sshd
pid=19939
log_message= autentication failure
remote_host = 218.188.2.4

• Solution

# One
(?<log_date>%{WORD}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME})%{SPACE}%{WORD}%{SPACE}%{WORD:process_name}\(%{WORD}\)\[%{NUMBER:pid}\]:%{SPACE}%{GREEDYDATA:log_message};%{GREEDYDATA}%{IP:remote_host}

# Better solution
%{SYSLOGTIMESTAMP:log_date}%{SPACE}%{WORD}%{SPACE}%{WORD:process_name}\(%{WORD}\)\[%{NUMBER:pid}\]:%{SPACE}%{GREEDYDATA:log_message};%{GREEDYDATA}%{IP:remote_host}

• Consider the following log

17/06/09 20:10:40 INFO executor.CoarseGrainedExecutorBackend: Registered signal handlers for [TERM, HUP, INT]

log_date = 17/06/09 20:10:40
level = info
class = executor.CoarseGrainedExecutorBackend
message = Registered signal handlers for [TERM, HUP, INT]

• Solution

%{DATESTAMP:log_date}%{SPACE}%{LOGLEVEL:level}%{SPACE}%{JAVAFILE:class}:%{SPACE}%{GREEDYDATA:message}

Logstash

• Lets apply the grok filters to log pipelines
• Refer Here for sample pipeline
• To make above pipeline write logs to elastic search we need to change the output plugin to elastic search and also mention index
  
• For logstash and kibana while you are creating a user consider built in roles Refer Here
• For this we have executed the following curl requests

curl -X POST -u "elastic:Y+Q=JiV1EN=0lYe9hjpc" --insecure "https://localhost:9200/_security/user/qtelastic?pretty" -H 'Content-Type: application/json' -d'
{
  "password" : "india@1234",
  "roles" : [ "kibana_admin", "logstash_admin", "ingest_admin", "machine_learning_admin", "watcher_admin", "transform_admin" ],
  "full_name" : "qtelastic",
  "email" : "qtelastic@example.com",
  "metadata" : {
    "intelligence" : 7
  }
}
'

curl -X POST -u "elastic:Y+Q=JiV1EN=0lYe9hjpc" --insecure "https://localhost:9200/_security/user/qtadmin?pretty" -H 'Content-Type: application/json' -d'
{
  "password" : "india@1234",
  "roles" : [ "superuser" ],
  "full_name" : "qtadmin",
  "email" : "qtadmin@example.com",
  "metadata" : {
    "intelligence" : 7
  }
}
'

• Lets configure logstash.yaml changed elastic search default username and password
• Refer Here for the pipeline and then lets test this
• We have sent the logs from logstash to elastic search, now lets verify in kibana
  
  
  
  
  
• configuration files should be stored in /etc/logstash/conf.d
• restart the daemon and enable logstash service.