Hi. I've deployed elasticsearch with logstash and kibana to take in
Windows logs from my OSSEC log server, following this guide:
http://vichargrave.com/ossec-log-management-with-elasticsearch/
I've tweaked the logstash config to extract some specific fields from the
logs, such as User_Name. I'm having some issues searching on these fields
though.
These searches work as expected:
- User_Name: *
- User_Name: john.smith
- User_Name: john.*
- NOT User_Name: john.*
But I'm having problems with Computer accounts, which take the format
"w-dc-01$" - they're being split on the "-" and the "$" is ignored. So a
search for "w-dc-01" returns all the servers named "w-<anything>". Also I
can't do "NOT User_Name: *$" to exclude computer accounts.
The mappings are created automatically by logstash, and GET
/logstash-2014.01.08/_mapping shows:
"User_Name": {
"type": "multi_field",
"fields": {
"User_Name": {
"type": "string",
"omit_norms": true
},
"raw": {
"type": "string",
"index": "*not_analyzed*",
"omit_norms": true,
"index_options": "docs",
"include_in_all": false,
"ignore_above": 256
}
}
},
My (limited) understanding is that the "not_analyzed" should stop the field
being split, so that my searching matches the full name, but it doesn't.
I'm trying both kibana and curl to get results.
Hope this makes sense. I really like the look of elasticsearch, but being
able to search on extracted fields like this is pretty key to me using it.
Thanks.
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/62e3ebfc-aaa3-4af0-b93e-d4454146607b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
