Can I make two input and output in the logstash config file?

Elastic Stack Logstash
1

Hello all.

I want to get the two indexes from two input data in the one logstash config file. (One is from tshark file and the other one is filebeat so each data are different.)

tshark data is changed to json file for input and filebeat is using suricata module.

So my concept was

input {
 file {
  path => "/path/tshark.json"
  type => "tshark"
}
 beats {
  port => 5044
  type => "filebeat"
 }
}

filter {
 if [type] == "tshark" {
  ~~~
}
 else if [type] == "filebeat" {
 ~~~
 }
}

output{
  if [type] == "tshark" {
   elasticsearch{
    host => ["address:port"]
    index=> "tshark"
   }
 }
 else if [type] == "filebeat" {
  elasticsearch{
    host => ["address:port"]
    index=> "filebeat"
  }
 }
}

It doesn't work for me. It didn't make any index. I used [tags] instead of [type], in that case the filtering was not applied each of index.
So I tried multiple pipeline too, but the result was that two indexes were created with the same data but with different names.

Could you give me some advices?

Thank you.

2

This is wrong, the conditional needs to be outside the output plugin:

output {
    if [type] == "tshark" {
        elasticsearch { your elasticsearch output }
    } else if [type] == "filebeat" {
        elasticsearch { your elasticsearch output }
    }
}

But the best approach is to use different pipelines with pipelines.yml, one pipeline you would have the input and output for tshark and the other the input and output for filebeat.

3

Oops, It was a typo. I made the output the same as you wrote. I will change the original post.

I also tried pipeline, but the result was that two indexes were created with the same data but with different names.

Thank you for replying!

4

You need to share your pipelines.yml configuration and logstash logs, it is not possible to know what is the issue without it.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.