2

I'm evaluating the ELK stack with filebeat & logstash across a diverse range of applications/ servers.

I understand the power of customising my own grok patterns for each application/log, but to get running initially it seems very inefficient to hand craft my own pattern for each application, when surely it's been done before me!

The filebeat bundled dashboards seems to create dashboard based on fields which I need to hand craft myself in logstash (e.g. system.auth.sudo.command). Is there a better way with more 'batteries included' I am missing?

Dan Poltawski
  • 141
  • 1
  • 3
  • 1
    This has always been a pretty big drawback for ELK. There are some existing patterns, but ideally the logs you feed into the system are already structured (e.g. JSON format). – jordanm Jan 18 '18 at 18:49

1 Answers1

1

It's unfortunate, but the standard answer for this kind of thing in Logstash world is to customize your grok. They include lots of built-in patterns to make that easier, but you're still going to have to craft grok { } statements to utilize them. Logstash input {} plugins often include a set of schema dedicated to that particular service, but syslog-style stuff isn't one of those inputs (especially from file sources).

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296