Classifying different events using logstash


We have log events from different sources:

  • windows
  • syslog
  • firewall

dumped into the same file from a legacy process.

event1 could be windows, event2 could be oracle etc.,

What would be the best way to classify and seperate different types of log events.

I attempted using logstash groks based on presence of specific elements in the events to route the events to different folders.

For example, ORACLE logs have ORA in the message

filter {
    grok {
        match => { "[log][file][path]" => "/tmp/log/%{WORD:type}/%{DATA}" }

      file {
        path => "/tmp/target/%{type}/%{+yyyy.MM.dd.HH}/log.out"

The above will not cover all the scenarios.

Is there a cleaner approach to perform the same.

Thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.