CODEWITHSUNDEEP
elasticsearchlogstashelastic-stack
Gman
Gman

Reputation: 2453

How to read /var/log/wtmp logs in elasticsearch

I am trying to read the access log s from /var/log/wtmp in elasticsearch

I can read the file when logged into the box by using last -F /var/log/wtmp

I have logstash running and sending logs to elasticsearch, here is logstash conf file.

input {
  file {
    path => "/var/log/wtmp"
    start_position => "beginning"
  }
}

output {
  elasticsearch {
    host => localhost
    protocol => "http"
    port => "9200"
  }
}

what is showing in elasticsearch is

enter image description here

G

Upvotes: 1

Views: 3090

Answers (2)

hurb
hurb

Reputation: 2227

Vineeth's answer is right but the following cleaner config works as well:

input { pipe { command => "last" } }

last /var/log/wtmp and last are exactly the same.

utmp, wtmp, btmp are Unix files that keep track of user logins and logouts. They cannot be read directly because they are not regular text files. However, there is the last command which displays the information of /var/log/wtmp in plain text.

$ last --help

Usage:
 last [options] [<username>...] [<tty>...]

I can read the file when logged into the box by using last -F /var/log/wtmp

I doubt that. What the -F flag does:

-F, --fulltimes      print full login and logout times and dates

So, last -F /var/log/wtmp will interpret /var/log/wtmp as a username and won't print any login information.

What the -f flag does:

-f, --file <file>    use a specific file instead of /var/log/wtmp

Upvotes: 1

Vineeth Mohan
Vineeth Mohan

Reputation: 19283

Once i opened the file using less , i could only see binary data. Now logstash cant understand this data. A logstash file like the following should work fine - 

input { 
  pipe {
    command => "/usr/bin/last -f /var/log/wtmp"
  }
}

output {
    elasticsearch {
    host => localhost
    protocol => "http"
    port => "9200"
    }
}

Upvotes: 4

Related Questions