Hi Pedro!
I am using the ossec wazuh, I have a question about indexes.
I had implemented the logstash without using the file "elastic-ossec-
template.json". But I saw it would be good to use it. I am wanting use some
indexes and Kibana shows "Analyzed Field", like "AgentName".
I put the template in the configuration of logstash and the index has not
changed to "not analized".
My logstash output :
output {
#for archives.json log
if [type] == "ossecall" {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "ossecall-%{+YYYY.MM.dd}"
document_type => "ossecall"
template => "/etc/logstash/elastic-ossec-template2.json"
template_name => "ossecall"
template_overwrite => true
}
}
#for alerts.json log
else {
elasticsearch {
hosts => "127.0.0.1:9200"
index => "ossec-%{+YYYY.MM.dd}"
document_type => "ossec"
template => "/etc/logstash/elastic-ossec-template.json"
template_name => "ossec"
template_overwrite => true
}
}
}
Can you help me?
Em quinta-feira, 2 de junho de 2016 08:25:09 UTC-3, Pedro S escreveu:
>
> Hi Maxim,
>
> How are you forwarding the alerts/archives to Kibana?
>
> I think you will need the archives JSON output setting, if you are using
> Wazuh <http://wazuh.com/>, edit *ossec.conf *and add the following
> setting:
>
> <global>
>> *<logall_json>yes</logall_json>*
>> </global>
>
>
>
> Once you do it, you will find new archives.json events files at:
>
> /var/ossec/logs/archives/archives.json
>
>
>
> The next step is forward these archives events to Elasticsearch, in order
> to do it we need to edit Logstash configuration.
>
> My personal advice to index archives events is to create a dedicated index
> pattern just for them, so you will be able to distinguish between events
> and alerts, adding inside "output" section the following configuration:
>
> output {
> if [type] == "ossec-alerts" {
> elasticsearch {
> hosts => ["127.0.0.1:9200"]
> index => "ossec-%{+YYYY.MM.dd}"
> document_type => "ossec"
> template => "/etc/logstash/elastic-ossec-template.json"
> template_name => "ossec"
> template_overwrite => true
> }
> }
> if [type] == "ossec-archives" {
> elasticsearch {
> hosts => ["127.0.0.1:9200"]
> index => "ossec-archives-%{+YYYY.MM.dd}"
> document_type => "ossec"
> template => "/etc/logstash/elastic-ossec-template.json"
> template_name => "ossec"
> template_overwrite => true
> }
> }
> }
>
>
> Later in Kibana you will need to create a new index pattern
> (Settings->indices) matching for "ossec-archives-*".
>
> If you need to "reindex" or read the a log file from the beginning using
> Logstash, you can use the file input with option *start_position *set to
> *beginning
> *(+ info)
> <https://www.elastic.co/guide/en/logstash/current/plugins-inputs-file.html#plugins-inputs-file-start_position>
>
>
>
> On Monday, May 30, 2016 at 4:53:10 PM UTC+2, Maxim Surdu wrote:
>>
>> i have this archives files with logs but in kibana i can not see them can
>> i reindex this files?
>> if i can, please help me step by step
>>
>> joi, 19 mai 2016, 10:17:51 UTC+3, Maxim Surdu a scris:
>>>
>>> Hi dear community,
>>>
>>> i had a problem with logstash, after i resolve it i saw what in kibana
>>> are missing logs, how can i resolve the problem and reindexing all my logs
>>> to kibana
>>> I will be thankful if someone will help me step by step
>>>
>>>
>>> i appreciate your help, and a lot of respect for developers and
>>> community!
>>>
>>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ossec-list+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
