I have this config in filebeat.yml:
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/nginx/access.log
fields_under_root: true
fields:
service_name: "nginx"
##### OutPut #######
output.logstash:
hosts: ["x.x.x.x:5044"]
and in logstash config:
input {
beats {
port => 5044
}
}
filter {
if [fields][service_name] == 'nginx' {
json { source => "message" }
}
}
output {
if [fields][service_name] == 'nginx' {
elasticsearch {
hosts => ["https://x.x.x.x:9200"]
user => "user"
password => "password"
index => "logstash_nginx"
cacert => "/usr/share/logstash/config/elasticsearch-ca.pem"
ssl_certificate_verification => false
}
stdout{ codec => rubydebug }
}
}
But nothing happens!? Where is my mistake? filebeat config or logstash config?
thanks.
******** Update *******
when I disable if
in logstash config, filebeat sends the field correctly (service_name).
So, why logstash if
not work?
thanks.