I have hosts that have log files in different formats, Vision, and Triad. They are being collected by Filebeat and shipped to Logstash. I have a Logstash config file setup for Beats as shown in the docs. At this point its pretty much a pass through (See below). I want to be able to transform the Triad logs, but leave the Vision logs alone.
So I am a little confused about how tell Logstash to differentiate between the two types of logs that it will be seeing. Its not clear to me from the Beats input plugin docs on how to do that in the input section.
filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
enabled: true
paths:
- /usr/cbridge/msg/LaunchPad/*.log
- /usr/cbridge/msg/Manager/*.log
- /usr/cbridge/msg/Reporting/*.log
- /usr/cbridge/msg/WorkOrderPrinting/*.log
# Handle Java exceptions and put them on one line
multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'
multiline.negate: true
multiline.match: after
- type: log
enabled: true
paths:
- /usr/cbridge/msg/current.msg
# Exlude the line of dashes TODO this seems to get ignored when multiline is working. Probably need to strip it in logstash
exclude_lines: ['^-+$']
# Setup the pattern to harvest the multiline
multiline.pattern: '^[A-Z]+: '
multiline.negate: true
multiline.match: after filebeat.inputs:
# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.
- type: log
enabled: true
paths:
- /usr/cbridge/msg/LaunchPad/*.log
- /usr/cbridge/msg/Manager/*.log
- /usr/cbridge/msg/Reporting/*.log
- /usr/cbridge/msg/WorkOrderPrinting/*.log
# Handle Java exceptions and put them on one line
multiline.pattern: '^[[:space:]]+(at|\.{3})\b|^Caused by:'
multiline.negate: true
multiline.match: after
- type: log
enabled: true
paths:
- /usr/cbridge/msg/current.msg
# Exlude the line of dashes TODO this seems to get ignored when multiline is working. Probably need to strip it in logstash
exclude_lines: ['^-+$']
# Setup the pattern to harvest the multiline
multiline.pattern: '^[A-Z]+: '
multiline.negate: true
multiline.match: after
Thanks for the response Ryan, I appreciate it. I think the basic issue is that I have one pipeline definition "vision-logs-pipeline.conf". It has one input section to listen for Beats. The Beat sends both log types to Logstash, and they appear at the input section. Once I have filtered I dont know how to send the filtered data to the correct output.
Vision logs = A
Triad logs = B
Filebeat(A, B) -> LogstashInput() -> Filter( A -> output1, B-> output2) -> Output1(A) -> ElasticIndex1
-> Output2(B) -> ElasticIndex2
Glad to hear its working, hopefully someone a little more advanced than me can help you streamline it if it even needs to be. Your many levels above where I'm at, good for you!!!
Haha, well after all that, I sort of realized that I probably dont want to split it into separate indexes. Ah well at least I learned something interesting.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.