Gather a set of records

[SowAbdoul]

curl -s 192.168.100.197:9200/dc-abj-srvabj03/_search | jq . | grep rec
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",
          "rec": "ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3",

Instead of getting one record, I get several. Am I doing something wrong or is this a bug?
On kibana, I can get 100 hits for a single session, one hit that gives the info about the user, rec, session and everything else, it is out_txt.

$MaxMessageSize 3k

$ModLoad imuxsock

$ModLoad imjournal 

# OmitLocalLogging on

$ModLoad omelasticsearch

template(name="tlog" type="list") {
    constant(value="{")
    property(name="timegenerated"
             outname="timestamp"
             format="jsonf"
             dateFormat="rfc3339")
    constant(value=",")
    property(name="msg"
             regex.expression="{\\(.*\\)"
             regex.submatch="1")
    constant(value="\n")
}

template(name="dc-abj-{{ ansible_hostname | lower }}" type="string" string="dc-abj-{{ ansible_hostname | lower }}-%$YEAR%.%$MONTH%.%$DAY%")

action(type="omelasticsearch"
       name="tlog-elasticsearch"
       server="{{ groups['elkserver'][0] }}"
       serverport="9200"
       searchIndex="dc-abj-{{ ansible_hostname | lower }}"
       searchType="tlog"
       bulkmode="on"
       action.resumeretrycount="-1"
       errorfile="/var/log/omelasticsearch.log"
       template="tlog")

[justin-stephenson]

Are you able to playback recordings from the command line with tlog-play -r journal -M TLOG_REC=ac7e22b2aa62483ca130f27660601a7c-208f8-55cec3 ?

Recordings are made up of several log messages, you can check the systemd journal (or syslog) to see evidence of this.

Can you try testing with various query strings as explained in https://github.com/Scribery/tlog#playing-back-from-elasticsearch

[SowAbdoul]

Thanks, I can read them, I wonder if we can't filter instead, tlog collects a user's credentials and assigns a session number per login.
When I use kibana, I find that there are over 100 logs for a single login session. One log contains the information I mentioned above and all the rest are actions performed by the standard output users

I would like to filter this so that it shows me the user IDs and the session number.

[SowAbdoul]

Hello @justin-stephenson

I have an environment consisting of:

2 machines, each with tlog and rsyslog-client installed
1 remote machine serving as an ERK, Elastic-Kibana with rsyslog server installed
The sessions are being transferred to the monitoring machine, but currently, I'm viewing the records on the local machines. I would like to be able to directly view the records on the ERK machine. How can I achieve this?