Hi ,
I have following conf file.
It create only one index (auth1) in my elastisearch not the other one .
input {
file {
type => "Apache"
path => "/home/test/test1.log"
start_position => beginning
}
file {
type => "Auth"
path => "/var/log/auth.log"
start_position => beginning
}
}
filter {
if [type] == "Apache" {
grok {
match => { "message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{N
UMBER:response:int} (?:-|%{NUMBER:bytes:int}) %{QS:referrer} %{QS:agent}'}
}
date {
match => [ "timestamp" , "dd/MMM/yyyy:HH:mm:ss Z" ]
}
geoip {
source => "clientip"
target => "geoip"
database => "/home/Downloads/test/GeoLiteCity.dat" # e.g. database =>"E:/logstash/GeoLiteCity.dat"
add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
}
mutate {
convert => [ "[geoip][coordinates]", "float" ]
}
}
if [type] == "Auth" {
grok {
match => { "message" => '%{SYSLOGBASE} %{GREEDYDATA:logline}' }
}
}
}
output {
if [type] == "Apache" {
stdout { codec => rubydebug }
elasticsearch {
hosts => "localhost:9200"
index => "apache1"
}
}
if [type] == "Auth" {
stdout { codec => rubydebug }
elasticsearch {
hosts => "localhost:9200"
index => "auth1"
}
}
}
Please help me in this !!
Thanks
Gaurav