Classifying different events using logstash

Ram_Jeghan · May 5, 2020, 9:55pm

Hi,

We have log events from different sources:

windows
syslog
firewall
-database
etc

dumped into the same file from a legacy process.

event1 could be windows, event2 could be oracle etc.,

What would be the best way to classify and seperate different types of log events.

I attempted using logstash groks based on presence of specific elements in the events to route the events to different folders.

For example, ORACLE logs have ORA in the message

filter {
    grok {
        match => { "[log][file][path]" => "/tmp/log/%{WORD:type}/%{DATA}" }
    }
}

output{
      file {
        path => "/tmp/target/%{type}/%{+yyyy.MM.dd.HH}/log.out"
     }
}

The above will not cover all the scenarios.

Is there a cleaner approach to perform the same.

Thank you

system · June 2, 2020, 9:55pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Windows event classification mapping - is there a source for this? Logstash	3	397	April 6, 2022
GROK filter for different events sourced fro the same input Logstash	2	625	May 23, 2017
Large amount of Grok patterns Logstash	2	780	July 6, 2017
Filtering Windows Event Logs Logstash	11	6335	July 6, 2017
Logstash - Multiple Log Sources 'Syslog' Logstash	3	1846	July 6, 2017

Classifying different events using logstash

Related topics