Start your 14-day free trial today & Get 20% Off All Annual Managed ELK Plans
No Credit Card Required
Try Logit.io FreeAlready have an account? Sign In
Red Hat (RHEL) System Logs
Ship system log files from Red Hat Enterprise Linux (RHEL) to Logstash
Configure Filebeat to ship logs from Red Hat Systems to Logstash and Elasticsearch.
Step 1 - Install Filebeat
deb (Debian/Ubuntu/Mint)
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-amd64.deb
sudo dpkg -i filebeat-oss-7.8.1-amd64.deb
rpm (CentOS/RHEL/Fedora)
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-x86_64.rpm
sudo rpm -vi filebeat-oss-7.8.1-x86_64.rpm
macOS
curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-oss-7.8.1-darwin-x86_64.tar.gz
tar xzvf filebeat-oss-7.8.1-darwin-x86_64.tar.gz
Windows
- Download the filebeat Windows zip file from the official downloads page.
- Extract the contents of the zip file into C:\Program Files.
- Rename the
filebeat-<version>-windows
directory tofilebeat
. - Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
- Run the following commands to install filebeat as a Windows service:
cd 'C:\Program Files\filebeat'
.\install-service-filebeat.ps1
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-filebeat.ps1
.
Step 2 - Enable system module
There are several built in filebeat modules you can use. To enable the system module run.
sudo filebeat modules list
sudo filebeat modules enable system
Additional module configuration can be done using the per module config files located in the modules.d folder, most commonly this would be to read logs from a non-default location
deb/rpm /etc/filebeat/modules.d/
mac/win <EXTRACTED_ARCHIVE>/modules.d/
Step 4 - Configure output
We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.
## Comment out elasticsearch output
#output.elasticsearch:
# hosts: ["localhost:9200"]
Uncomment and change the logstash output to match below.
output.logstash:
hosts: ["your-logstash-host:your-ssl-port"]
loadbalance: true
ssl.enabled: true
Step 5 - Validate configuration
Let's check the configuration file is syntactically correct by running filebeat directly inside the terminal.
If the file is invalid, filebeat will print an error loading config file
error message with details on how to correct the problem.
deb/rpm
sudo filebeat -e -c /etc/filebeat/filebeat.yml
macOS
cd <EXTRACTED_ARCHIVE>
./filebeat -e -c filebeat.yml
Windows
cd <EXTRACTED_ARCHIVE>
.\filebeat.exe -e -c filebeat.yml
Step 6 - (Optional) Update logstash filters
All Logit stacks come pre-configured with popular Logstash filters. We would recommend that you add system specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.
Edit your Logstash filters by choosing Stack > Settings > Logstash Filters
if [fileset][module] == "system" {
if [fileset][name] == "auth" {
grok {
match => { "message" => ["%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} %{DATA:[system][auth][ssh][method]} for (invalid user )?%{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]} port %{NUMBER:[system][auth][ssh][port]} ssh2(: %{GREEDYDATA:[system][auth][ssh][signature]})?",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: %{DATA:[system][auth][ssh][event]} user %{DATA:[system][auth][user]} from %{IPORHOST:[system][auth][ssh][ip]}",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sshd(?:\[%{POSINT:[system][auth][pid]}\])?: Did not receive identification string from %{IPORHOST:[system][auth][ssh][dropped_ip]}",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} sudo(?:\[%{POSINT:[system][auth][pid]}\])?: \s*%{DATA:[system][auth][user]} :( %{DATA:[system][auth][sudo][error]} ;)? TTY=%{DATA:[system][auth][sudo][tty]} ; PWD=%{DATA:[system][auth][sudo][pwd]} ; USER=%{DATA:[system][auth][sudo][user]} ; COMMAND=%{GREEDYDATA:[system][auth][sudo][command]}",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} groupadd(?:\[%{POSINT:[system][auth][pid]}\])?: new group: name=%{DATA:system.auth.groupadd.name}, GID=%{NUMBER:system.auth.groupadd.gid}",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} useradd(?:\[%{POSINT:[system][auth][pid]}\])?: new user: name=%{DATA:[system][auth][user][add][name]}, UID=%{NUMBER:[system][auth][user][add][uid]}, GID=%{NUMBER:[system][auth][user][add][gid]}, home=%{DATA:[system][auth][user][add][home]}, shell=%{DATA:[system][auth][user][add][shell]}$",
"%{SYSLOGTIMESTAMP:[system][auth][timestamp]} %{SYSLOGHOST:[system][auth][hostname]} %{DATA:[system][auth][program]}(?:\[%{POSINT:[system][auth][pid]}\])?: %{GREEDYMULTILINE:[system][auth][message]}"] }
pattern_definitions => {
"GREEDYMULTILINE"=> "(.|\n)*"
}
remove_field => "message"
}
date {
match => [ "[system][auth][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
geoip {
source => "[system][auth][ssh][ip]"
target => "[system][auth][ssh][geoip]"
}
}
else if [fileset][name] == "syslog" {
grok {
match => { "message" => ["%{SYSLOGTIMESTAMP:[system][syslog][timestamp]} %{SYSLOGHOST:[system][syslog][hostname]} %{DATA:[system][syslog][program]}(?:\[%{POSINT:[system][syslog][pid]}\])?: %{GREEDYMULTILINE:[system][syslog][message]}"] }
pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
remove_field => "message"
}
date {
match => [ "[system][syslog][timestamp]", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
Step 7 - Start filebeat
Ok, time to start ingesting data!
sudo systemctl enable filebeat
sudo systemctl start filebeat
Step 8 - Red Hat Logs Overview
Red Hat Enterprise Linux (RHEL) is the most popular commercial Linux distribution used in public cloud environments.
Red Hat Enterprise Linux is often compared to CentOS. The main difference between the two Linux distributions is that RHEL offers a much more comprehensive level of technical support to their users.
Red Hat Enterprise Linux generates a near overwhelming amount of log files under the /var/log/ directory. Just under /var/log/messages alone there are mail, cron, daemon, kern & authentication logs.
Below are some of the most notable log directories that you’ll commonly encounter.
If you are using custom-built Kernels then you’ll likely need to analyse the logs contained under /var/log/kern.log when it comes to troubleshooting your application.
The log messages found under /var/log/secure are relevant for monitoring the security of your Linux distribution as they contain authentication events, login attempts & authorisation log events.
You may also wish to consult /var/log/setroubleshoot/ to discover issues related to the security context of logs files created under this directory.
With over 25 different log directories anyone would quickly find analysing their Red Hat system overwhelming without a log file analyser as part of a centralised log management solution.
Our HA (highly available) Red Hat log file analyser can be used to completely centralise and manage your log file data across Red Hat & any additional applications, servers & programming languages for a single source of truth for monitoring across your organisation.
If you need any assistance with analysing your Red Hat logs we're here to help. Feel free to reach out by contacting the Logit support team via live chat & we'll be happy to help you start analysing your data.