Hi all,
I have a working filter for a specific log, and I am happy with that. However, one other log is being matched on it, even though the conditional I am using should not do so. I am matching on tags.
if "access" and "apache" in [tags] { grok { match => [ "message", "%{BACKOFFICEAPACHELOG}" ] overwrite => [ "timestamp", "message" ] tag_on_failure => [ "_grokfail_access" ] } date { match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ] add_tag => [ "dateparsesuccess" ] } }
Filebeat sends a log, tagged with "apache" and "access" and this parses nicely. Another log on the same device is sent, but tagged differently: it is tagged "apache" but NOT "access". Why is this log being matched with this pattern? The log format is different, so the grok parse fails (time stamp format is different), and clutters my logstash log file. No bueno. Any thoughts?
Filebeat config here:
`filebeat:
prospectors:
-
paths:
- /var/log/php_cli.log
input_type: php_error
fields_under_root: true
fields:
host: bohost0
tags: ["php","error","bo","cli","internal"]
-
paths:
- /var/www/bo..local/logs/access.ssl.log
input_type: apache_access
fields_under_root: true
fields:
host: bohost0
tags: ["apache","access","bo","internal"]
-
paths:
- /var/www/bo..local/logs/error.ssl.log
input_type: apache_error
fields_under_root: true
fields:
host: bohost0
tags: ["apache","error","bo","internal"]
registry_file: /var/lib/filebeat/registry
`