pschiffe / rsyslog-elasticsearch-kibana Goto Github PK

Some users asked for SUDO logs to be also directed to the Centralized Logging. This might go in the same Dashboard as Client Logins.

Hi there.. I'm trying to search for user logins using the searches / dashboards set up for showing user logins, but I notice that the action field is not making it into elasticsearch. I'm not sure where that field should be getting introduced, but I think possibly it is as part of the normalize rules for the audit log. I don't fully understand how that turns into fields that end up being turned into the $!all-json variable used by the omelasticsearch module. In either case -- the search and dashboard aren't working, I believe because they required the action field to be identified and they never are. I definitely see messages if I search for type=USER_LOGIN. Any help would be appreciated.

I digged on the example of User logins per Host and it seems like the used parameters are not shown in Kibana, thus I can find an explicit cast of username in https://github.com/pschiffe/rsyslog-elasticsearch-kibana/blob/master/rsyslog/rules-authpriv.rb file but it doesn't seem to be working, Can you help us with this mate?

Hey @pschiffe
I love your approach:

template(name="elasticsearch-json" type="list") {
    constant(value="{")
    property(name="timestamp"  dateFormat="rfc3339" format="jsonf")
    constant(value=",")
    property(name="$!all-json" position.from="2")
}

# add interesting properties from rsyslog to $!all-json
set $!host     = $hostname;
set $!facility = $syslogfacility-text;
set $!severity = $syslogseverity-text;
set $!tag      = $syslogtag;
set $!message  = $msg;

Its brilliant for it allow a novice as me to easy change and edit the template.
Now i have been working on it for a couple of weeks but i really want to add field types is this at all possible in the way of defining the variables like you did in the conf ?

Here's my template I am looking for the syntax if it exists
something like this:

set $!source_ip = $fromhost-ip; type = ip;

# this is for index names to be like: rsyslog-YYYY.MM.DD
template(name="rsyslog-index" type="string" string="rsyslog-%$DAY%.%$MONTH%.%$YEAR%")

#  this is for formatting our syslog in JSON with @timestamp
# format the syslog messages as JSON for elasticsearch
template(name="json-syslog" type="list") {
    constant(value="{")
    property(name="timestamp"  dateFormat="rfc3339" format="jsonf")
    constant(value=",")
    property(name="$!all-json" position.from="2")
}

# add interesting properties from rsyslog to $!all-json
set $!hostc = $hostname;
set $!source_host = $fromhost;
set $!source_ip = $fromhost-ip;
set $!program = $programname;
set $!facilitynr = $syslogfacility;
set $!serveritynr = $syslogseverity;
set $!priority = $syslogpriority;
set $!rsys_module = $inputname;
set $!host = $fromhost;
set $!facility = $syslogfacility-text;
set $!severity = $syslogseverity-text;
set $!tag = $syslogtag;
set $!msg = $msg;
set $!org_msg = $rawmsg;

thanks !

how to set password to this log server?