ELK for Postfix

Discussion in 'Linux Admins, Storage and Virtualization' started by VlaKl, Oct 8, 2019.

  1. VlaKl

    VlaKl New Member

    Joined:
    Apr 26, 2019
    Messages:
    23
    Likes Received:
    0
    Hi

    ELK (Elasticsearch,Logstash,Kibana) on 192.168.199.131
    Filebeat on 192.168.199.145

    In 192.168.199.131:

    tcp6 0 0 127.0.0.1:9200 :::* LISTEN 68352/java
    tcp6 0 0 ::1:9200 :::* LISTEN 68352/java

    firewalld disabled
    In /etc/logstash/conf.d/input.conf
    input {
    beats {
    port => 5044
    }
    }

    In etc/logstash/conf.d/ouput.conf
    output {
    elasticsearch {
    hosts => "localhost:9200"
    index => "postfix-%{+YYYY.MM.dd}"
    }
    #stdout { codec => rubydebug }
    }
    In etc/logstash/conf.d/filter.conf
    filter {
    if [type] == "postfix" {
    grok {
    match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}"" }
    }
    }

    On filebeat
    /etc/filebeat/filebeat.yml

    filebeat.inputs:
    - type: log
    enabled: true
    paths:
    - /var/log/maillog*

    output.logstash:
    hosts: ["192.168.199.131:5044"]

    xpack.monitoring:
    enabled: true
    elasticsearch:
    hosts: ["http://192.168.199.131:9200"]


    But there are no indexes in kibana=>parent index
    Any help
     
    #1
  2. VlaKl

    VlaKl New Member

    Joined:
    Apr 26, 2019
    Messages:
    23
    Likes Received:
    0
    UPD
    I deleted in /etc/logstash/conf.d/ input.conf, outout.conf . Now instead of them one file /etc/logstash/conf.d/postfox.conf
    input {
    beats {
    type => "postfix"
    port => 5044
    }
    }

    filter {
    if [type] == "postfix" {
    grok {
    match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}"" }
    }
    }
    }
    output {
    elasticsearch {
    type => "postfix"
    hosts => "localhost:9200"
    index => "postfix-%{+YYYY.MM.dd}"
    }
    #stdout { codec => rubydebug }
    }

    But logstash does not start. In the log /var/log/logstash/logstash-plain.log:
    Failed to execute action {:action=>LogStash:pipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 11, column 124 (byte 234) after filter {\n if [type] == \"postfix\" {\n grok {\n match => { \"message\" => \"%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:rogram}(?:\\[%{POSINT}\\])?: %{GREEDYDATA:message}\"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2584:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:153:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:26:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in `block in converge_state'"]}

    What's wrong ?
     
    #2

Share This Page