Hi,
We have log events from different sources:
- windows
- syslog
- firewall
-database
etc
dumped into the same file from a legacy process.
event1 could be windows, event2 could be oracle etc.,
What would be the best way to classify and seperate different types of log events.
I attempted using logstash groks based on presence of specific elements in the events to route the events to different folders.
For example, ORACLE logs have ORA in the message
filter {
grok {
match => { "[log][file][path]" => "/tmp/log/%{WORD:type}/%{DATA}" }
}
}
output{
file {
path => "/tmp/target/%{type}/%{+yyyy.MM.dd.HH}/log.out"
}
}
The above will not cover all the scenarios.
Is there a cleaner approach to perform the same.
Thank you