ELK for Postfix

VlaKl

New Member
Apr 26, 2019
23
0
1
Hi

ELK (Elasticsearch,Logstash,Kibana) on 192.168.199.131
Filebeat on 192.168.199.145

In 192.168.199.131:

tcp6 0 0 127.0.0.1:9200 :::* LISTEN 68352/java
tcp6 0 0 ::1:9200 :::* LISTEN 68352/java

firewalld disabled
In /etc/logstash/conf.d/input.conf
input {
beats {
port => 5044
}
}

In etc/logstash/conf.d/ouput.conf
output {
elasticsearch {
hosts => "localhost:9200"
index => "postfix-%{+YYYY.MM.dd}"
}
#stdout { codec => rubydebug }
}
In etc/logstash/conf.d/filter.conf
filter {
if [type] == "postfix" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}"" }
}
}

On filebeat
/etc/filebeat/filebeat.yml

filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/maillog*

output.logstash:
hosts: ["192.168.199.131:5044"]

xpack.monitoring:
enabled: true
elasticsearch:
hosts: ["http://192.168.199.131:9200"]


But there are no indexes in kibana=>parent index
Any help
 

VlaKl

New Member
Apr 26, 2019
23
0
1
UPD
I deleted in /etc/logstash/conf.d/ input.conf, outout.conf . Now instead of them one file /etc/logstash/conf.d/postfox.conf
input {
beats {
type => "postfix"
port => 5044
}
}

filter {
if [type] == "postfix" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:program}(?:\[%{POSINT}\])?: %{GREEDYDATA:message}"" }
}
}
}
output {
elasticsearch {
type => "postfix"
hosts => "localhost:9200"
index => "postfix-%{+YYYY.MM.dd}"
}
#stdout { codec => rubydebug }
}

But logstash does not start. In the log /var/log/logstash/logstash-plain.log:
Failed to execute action {:action=>LogStash:pipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 11, column 124 (byte 234) after filter {\n if [type] == \"postfix\" {\n grok {\n match => { \"message\" => \"%{SYSLOGTIMESTAMP} %{SYSLOGHOST} %{DATA:rogram}(?:\\[%{POSINT}\\])?: %{GREEDYDATA:message}\"", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:41:in `compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:49:in `compile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in `block in compile_sources'", "org/jruby/RubyArray.java:2584:in `map'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:10:in `compile_sources'", "org/logstash/execution/AbstractPipelineExt.java:153:in `initialize'", "org/logstash/execution/JavaBasePipelineExt.java:47:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:26:in `initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:in `execute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:326:in `block in converge_state'"]}

What's wrong ?