Hello Community,
by now, my config file for incoming Logs looks like this:
input {
udp {
port => 5140
type => syslog
}
}
filter {
syslog_pri { }
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
if [message] =~ /devname=/ {
kv {
source => "message"
}
mutate {
convert => { "cpu" => "integer" }
convert => { "mem" => "integer" }
convert => { "disk" => "integer" }
convert => { "totalsession" => "integer" }
rename => { "type" => "fgt_type" }
rename => { "subtype" => "fgt_subtype" }
add_field => [ "type", "syslog" ]
add_field => [ "fortilog", 1]
lowercase => [ "vd" ]
}
}
if [message] =~ /-esx-/ {
if [message] =~ /^\S+ \S+ \S+ \S+: \S+ \S+ \[Originator@\d+ [^]]+\] .*$/
{
grok {
match => [ "message", "\S+ \S+ (?<syslog_hostname>\S+) (?<esxservice>\S+): (?<level>\S+) (?<esxprocess>\S+) \[Originator@\d+ (?<esxsubinfo>[^]]+)\] (?<esxmessage>.*)" ]
}
kv {
source=>"esxsubinfo"
}
}
else {
grok {
match => [ "message", "^\S+ \S+ (?<syslog_hostname>\S+) (?<esxservice>\S+): (?<esxservicemessage>.*)$" ]
}
}
}
}
output {
if [type] == "syslog" {
elasticsearch {
hosts => ["X.X.X.X:XXXX"]
index => "logstash"
}
}
}
If i now want to send the logs, which recieve the file "fortilog : 1", to a different indicie how can i manage that?
I've tried to to something like this ;
if [fortilog] == "1" {
elasticsearch {
hosts => ["X.X.X.X:XXXX"]
index => "SampleIndex1"
}
}
else
elasticsearch {
hosts => ["X.X.X.X:XXXX"]
index => "SampleIndex2"
}
}
}
But this does not seem to work, as i'm not able to create index pattern even if i create the index manually.
Any ideas?
Thanks in advance.