{"id":3461,"date":"2019-07-01T21:46:10","date_gmt":"2019-07-01T18:46:10","guid":{"rendered":"https:\/\/kifarunix.com\/?p=3461"},"modified":"2022-01-22T11:44:03","modified_gmt":"2022-01-22T08:44:03","slug":"how-to-debug-logstash-grok-filters","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-debug-logstash-grok-filters\/","title":{"rendered":"How to Debug Logstash Grok Filters"},"content":{"rendered":"\n<p>Welcome to our guide on how to debug Logstash <a href=\"https:\/\/www.elastic.co\/guide\/en\/logstash\/current\/plugins-filters-grok.html\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\"Grok filters (opens in a new tab)\">Grok filters<\/a>. Grok filter uses regular expressions to parse unstructured event data into fields. It is perfect for syslog logs, Apache and other web server logs, MySQL logs or any human readable log format.<\/p>\n\n\n\n<p>This comes so handy if you want to extract different fields of an event data.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to Debug Logstash Grok Filters<\/h2>\n\n\n\n<p>In this guide, we are going to use sample SSH authentication logs to debug Logstash <a rel=\"noreferrer noopener\" aria-label=\"Grok Patterns (opens in a new tab)\" href=\"https:\/\/github.com\/logstash-plugins\/logstash-patterns-core\/tree\/master\/patterns\" target=\"_blank\">Grok Patterns<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Configuring Logstash Plugins<\/h3>\n\n\n\n<p>Assuming that you have already installed Logstash, proceed to configure Logstash as follows. If you have not installed Logstash, see below links on how to;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-logstash-7-on-ubuntu-18-debian-9-8\/\" target=\"_blank\">Install and Configure Logstash 7 on Ubuntu 18\/Debian 9.8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-logstash-7-on-fedora-30-fedora-29-centos-7\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Install Logstash 7 on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Logstash Input<\/h4>\n\n\n\n<p>To run a successful debugging, we are going to configure Logstash read events from standard input. The plugin responsible for this is usually installed by default. To verify installed plugins;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/share\/logstash\/bin\/logstash-plugin list | grep -i stdin\nlogstash-input-stdin<\/code><\/pre>\n\n\n\n<p>Create a Logstash plugin definition configuration file under <strong>\/etc\/logstash\/conf.d<\/strong> and define the Input plugin to begin with.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/logstash\/conf.d\/ssh-authentication.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>input {\n    stdin { }\n}\n...<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Grok Filter Plugin<\/h4>\n\n\n\n<p>Next, configure Logstash Filter plugin for whatever logs you need to parse or extract the fields. In this guide, we are using sample SSH authentication logs.<\/p>\n\n\n\n<p>Grok filter is also installed by default.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/share\/logstash\/bin\/logstash-plugin list | grep -i filter-grok\nlogstash-filter-grok<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>Jul  1 05:49:25 fedora29 sshd&#91;16748]: Accepted password for root from 192.168.0.103 port 45382 ssh2\nJul  1 05:23:45 fedora29 sshd&#91;3603]: Failed password for root from 192.168.0.103 port 44074 ssh2<\/code><\/pre>\n\n\n\n<p>Our filter for the above sample log is define below<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ninput {\n    stdin { }\n}\n\nfilter {\n  grok {\n    match => { \"message\" => \"%{SYSLOGTIMESTAMP:timestamp}\\s+%{IPORHOST:src_host}\\s+%{WORD:syslog_program}\\[\\d+\\]:\\s+(?<status>\\w+\\s+password)\\s+for\\s+%{USER:auth_user}\\s+from\\s+%{SYSLOGHOST:source}.*\" }\n  }\n}\n...\n<\/code><\/pre>\n\n\n\n<p>To create Grok filter, you can use the Kibana Grok debugger or use the <a rel=\"noreferrer noopener\" aria-label=\"Heroku App Grok Debugger (opens in a new tab)\" href=\"http:\/\/grokdebug.herokuapp.com\/\" target=\"_blank\">Heroku App Grok Debugger<\/a>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Output Plugin<\/h4>\n\n\n\n<p>Configure Logstash to print the parsed event data to standard output for a convenient debugging. You need to configure the output plugin to outputs event data using the ruby &#8220;awesome_print&#8221;&nbsp;library, <strong>stdout { codec =&gt; rubydebug }<\/strong>.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ninput {\n    stdin { }\n}\n\nfilter {\n  grok {\n    match => { \"message\" => \"%{SYSLOGTIMESTAMP:timestamp}\\s+%{IPORHOST:dst_host}\\s+%{WORD:syslog_program}\\[\\d+\\]:\\s+(?<status>\\w+\\s+password)\\s+for\\s+%{USER:auth_user}\\s+from\\s+%{SYSLOGHOST:src_host}.*\" }\n  }\n}\noutput {\n  elasticsearch { hosts => [\"192.168.0.106:9200\"] }\n  stdout { codec => rubydebug }\n}\n<\/code><\/pre>\n\n\n\n<p>Once you have you Logstash configured, run the command below to verify if there are any configuration errors.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudo -u logstash \/usr\/share\/logstash\/bin\/logstash --path.settings \/etc\/logstash -t<\/code><\/pre>\n\n\n\n<p>If you see, <strong>Configuration OK<\/strong>, then all fine. Otherwise, fix any would be errors before you can continue.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">How to Debug Logstash Grok Filters<\/h4>\n\n\n\n<p>Now that you configuration is done, stop Logstash and run Grok filter debugging by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl stop logstash<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>\/usr\/share\/logstash\/bin\/logstash -f \/etc\/logstash\/conf.d\/ssh-authentication.conf --path.settings \/etc\/logstash\/<\/code><\/pre>\n\n\n\n<p>Once you see the line, <strong>Successfully started Logstash API endpoint {:port=&gt;9600}<\/strong>, paste you sample log line and press ENTER.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\nThe stdin plugin is now waiting for input:\n[2019-07-01T07:16:24,243][INFO ][logstash.agent           ] Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}\n[2019-07-01T07:16:24,904][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}\nJul  1 05:49:25 fedora29 sshd[16748]: Accepted password for root from 192.168.0.103 port 45382 ssh2 ENTER\n<\/code><\/pre>\n\n\n\n<p>You log line will be filtered if at all your Grok filter is fine.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\nJul  1 05:49:25 fedora29 sshd[16748]: Accepted password for root from 192.168.0.103 port 45382 ssh2\n{\n         \"auth_user\" => \"root\",\n          \"@version\" => \"1\",\n          \"src_host\" => \"192.168.0.103\",\n        \"@timestamp\" => 2019-07-01T04:37:29.244Z,\n              \"host\" => \"elastic.example.com\",\n           \"message\" => \"Jul  1 05:49:25 fedora29 sshd[16748]: Accepted password for root from 192.168.0.103 port 45382 ssh2\",\n         \"timestamp\" => \"Jul  1 05:49:25\",\n          \"dst_host\" => \"fedora29\",\n    \"syslog_program\" => \"sshd\",\n            \"status\" => \"Accepted password\"\n}\n<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\nJul  1 05:23:45 fedora29 sshd[3603]: Failed password for root from 192.168.0.103 port 44074 ssh2\n{\n         \"auth_user\" => \"root\",\n          \"@version\" => \"1\",\n          \"src_host\" => \"192.168.0.103\",\n        \"@timestamp\" => 2019-07-01T04:36:36.910Z,\n              \"host\" => \"elastic.example.com\",\n           \"message\" => \"Jul  1 05:23:45 fedora29 sshd[3603]: Failed password for root from 192.168.0.103 port 44074 ssh2\",\n         \"timestamp\" => \"Jul  1 05:23:45\",\n          \"dst_host\" => \"fedora29\",\n    \"syslog_program\" => \"sshd\",\n            \"status\" => \"Failed password\"\n}\n<\/code><\/pre>\n\n\n\n<p>Well, from the output above, you can see that Logstash has parsed SSH authentication logs for failed and accepted password.<\/p>\n\n\n\n<p>That is all on how to debug Logstash Grok filters. You can try other logs the same way.<\/p>\n\n\n\n<p>Related Tutorials;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-logstash-7-on-fedora-30-fedora-29-centos-7\/\" target=\"_blank\">Install Logstash 7 on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-elastic-stack-7-on-fedora-30-fedora-29-centos-7\/\" target=\"_blank\">Install Elastic Stack 7 on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-filebeat-7-on-ubuntu-18-04-debian-9-8\/\" target=\"_blank\">Install and Configure Filebeat 7 on Ubuntu 18.04\/Debian 9.8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-elastic-stack-7-on-fedora-30-fedora-29-centos-7\/\" target=\"_blank\">Install Elastic Stack 7 on Fedora 30\/Fedora 29\/CentOS 7<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/install-elastic-stack-7-on-ubuntu-18-04-debian-9-8\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Install Elastic Stack 7 on Ubuntu 18.04\/Debian 9.8<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our guide on how to debug Logstash Grok filters. Grok filter uses regular expressions to parse unstructured event data into fields. It is<\/p>\n","protected":false},"author":2,"featured_media":8883,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[910,121,72],"tags":[4475,912,1021,1020,1022,921,4473,4474,4476],"class_list":["post-3461","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-elastic-stack","category-howtos","category-monitoring","tag-debug-your-logstash-configuration-file","tag-elastic-stack","tag-grok-debugger","tag-grok-filter","tag-grok-pattern","tag-logstash","tag-logstash-test-output","tag-quick-way-to-test-logstash-config-file","tag-testing-logstash-configuration","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3461"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=3461"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3461\/revisions"}],"predecessor-version":[{"id":11358,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/3461\/revisions\/11358"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/8883"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=3461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=3461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=3461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}