Filebeat system modules #4573
-
|
I see filebeat modules integration is on the roadmap and that's so awesome, but could somebody help me with how to enable system auth module? It works really well parsing SSH auth logs on vanilla ELK, but really struggled this week to get it working in SO. I went so far as to stand up a test on vanilla ELK, copy the ingest pipeline JSON and put it in the ingest folder mentioned in the docs. Reloaded the ES server container, see the new pipeline, and sent Filebeat output to Logstash as usual. New auth logs aren't getting parsed as expected. Appreciate any help anyone has. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
You'd have to bind mount the FB module config, enable the module, ensure the pipeline(s) for the relevant module is/are loaded, and that there is an associated Logstash output that is active to send to Elasticsearch. It's a fairly convoluted process to go through, especially given that this will be much simpler in 2.3.60. I would recommend waiting until 2.3.60, as we would not support or be able to assist with any issues with regard to any other type of configuration. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks so much for the response! |
Beta Was this translation helpful? Give feedback.
You'd have to bind mount the FB module config, enable the module, ensure the pipeline(s) for the relevant module is/are loaded, and that there is an associated Logstash output that is active to send to Elasticsearch. It's a fairly convoluted process to go through, especially given that this will be much simpler in 2.3.60. I would recommend waiting until 2.3.60, as we would not support or be able to assist with any issues with regard to any other type of configuration.