ELK Syslog server - Kibana

ELK Syslog server Kibana Queries

ELK syslog oplossing, binnen de MSO

Eric van Dijken <[email protected]>

Novamedia Wiki (Infra3.0 Space)

ELK Flow

Syslog Server = Logstash Broker

SYSTEMEN ADMIN GEBRUIKERS

KIBANA

KIBANA QUERY (Interval Settings)

KIBANA QUERY (Interval Settings)

KIBANA QUERY (AD-HOC)

• If your "Time Interval" is to short or just plain wrong... you won't see any events!

• If your "Refresh Interval" is short and your query takes longer, you won't see any events!

• If your syslog source system is on GMT, you may have to look for your events 2 hours in the past! (because ELK in on CEST)

KIBANA QUERY (query line)

KIBANA QUERY (query line)

KIBANA QUERY (query line, tips)

• You can enter almost anything, you want to search for, a name, a ip adress and so on.

• We can match an entire phrase: "to be or not to be"

• In specifc fields: line_id:86169

• We can express complex searches with AND/OR, note these words must be capitalized: food AND love

• Or parantheses: ("played upon" OR "every man") AND stage

• Numeric ranges can also be easily searched: line_id:[30000 TO 80000] AND havoc

• To display everything: *

KIBANA QUERY (display query results)

• If you start fresh, you will see the results of "_source“

This may be helpful, but not really easy to read.

• But most sources will have a "filter" for syslog_hostname, syslog_program and syslog_message.




• Remember:

If no "Selected Fields" are selected... _source will be displayed.


• Sometimes its handy to make a selection for a specific host.


• Click on the small ">", this will open the "event"


• Click on the "+" next to the field, this will lock the query to this field, with this value.


• If you "hover" over the "field selection", you can remove it or "inverse" it.


KIBANA LAST TIPS

• QUICK COUNT (last 500 events)

KIBANA

Questions ?

Documents

ELK Syslog server - Kibana