ELK – Logstash Email Alerting Config Issues

Question

I've been playing around with logstash and wanting to know how to exactly configure email alerting correctly.

I'm looking to pick up the string "BVDCS_LAP" and send a mail onto that address given.

The config I have is:

input {
  udp {
    port => 5000
    type => syslog
  }
}
filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}
output {
  elasticsearch { host => localhost }
  stdout { codec => rubydebug }
}
  email {
    from => "mymail@domain"
    match =>  {
               "BVDCS_LAP", "message,BVDCS_LAP",
               "BVDCS_LAP", "message,BVDCS_LAP"
              }
    subject => "%{matchName}"
    to => "mymail@domain"
    via => "smtp"
    body => "Here is the event line that occured: %{message}"
    htmlbody => "<h2>%{matchName}</h2><br/><br/><h3>Full Event</h3><br/><br/><div align='center'>%{@message}</div>"
  }
}

E-mails are not being sent and in my logstash.conf I'm seeing the below on line 27:

{:timestamp=>"2015-07-07T12:55:50.597000+0100", :message=>"Error: Expected one of #, input, filter, output at line 27, column 8 (byte 649) after "}

I’m curious as well to know if my original grok coding is correct and also if we could work out how to set a tag for a syslog message and use that as the email output?

Thanks

What is the `match` parameter for the email output supposed to mean? According to the documentation it's not even a valid parameter. If you want a conditional email output you should use a conditional block. — Magnus Bäck, Jul 08 '15 at 05:37

score 0 · Answer 1 · answered Jul 09 '15 at 04:13

0

Logstash is not really built for alerts. I've seen a couple of people try to use it but it was very limited (single strings) and worked only in very small scale.

You can try a solution like Logz.io (disclaimer: I work there) which offers alerts on top of logstash/Elasticsearch. You ship logs from your logstash to Logz.io, then configure the string you're looking and it sends you email alerts when that string matches.

answered Jul 09 '15 at 04:13

Tomer Levy

357
1
4

Thanks but that looks payware and does it require replacement of kIbana as the UI? – Ben Lavender Jul 10 '15 at 10:40
No need for any replacement, it offers Kibana 4 frontend. It is a paid service but there is a pretty large free tier (up to 30GB per months) for free. Another alternative is to build an alert system on top of the open source ELK and install it in-house. Not trivial to make it work. – Tomer Levy Jul 11 '15 at 12:43

score 0 · Answer 2 · answered Jul 01 '16 at 11:52

0

I resolved this last year using the email plugin with conditional script blocks as Magnus advised.

Happy to add some samples if anyone needs them.

answered Jul 01 '16 at 11:52

Ben Lavender

146
7

ELK – Logstash Email Alerting Config Issues

2 Answers2