Custom name index kibana

TheSun · October 4, 2019, 1:48am

Hi,
I am handling pfsense data with ELK stack.
But I have 2 pfsense. How to put data of each pfsense into a different index?
I tried with logstash output but it didn't work.
This is my configuration.
Please!! help me!!

input {
  tcp {
type => "syslog2"
port => 5140
  }
}
input {
  udp {
type => "syslog2"
port => 5140
  }
}

    filter {  
      if [type] == "syslog2" {
    #change to pfSense ip address
    if [host] =~ /10\.10\.2\.2/ {
      mutate {
        add_tag => ["PFSense", "Ready"]
      }
    }
    if "Ready" not in [tags] {
      mutate {
        add_tag => [ "syslog2" ]
      }
    }
      }
    }
    filter {  
      if [type] == "syslog2" {
    mutate {
      remove_tag => "Ready"
    }
      }
    }

    filter {  
      if "syslog2" in [tags] {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM  dd HH:mm:ss" ]
      locale => "en"
    }
    if !("_grokparsefailure" in [tags]) {
      mutate {
        replace => [ "@source_host", "%{syslog_hostname}" ]
        replace => [ "@message", "%{syslog_message}" ]
      }
    }
    mutate {
      remove_field => [ "syslog_hostname", "syslog_message", "syslog_timestamp" ]
    }
    #    if "_grokparsefailure" in [tags] {
    #      drop { }
    #    }
      }
    }





    filter {  
      if "PFSense" in [tags] {
    grok {
      add_tag => [ "firewall" ]
      match => [ "message", "<(?<evtid>.*)>(?<datetime>(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\s+(?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9]) (?:2[0123]|[01]?[0-9]):(?:[0-5][0-9]):(?:[0-5][0-9])) (?<prog>.*?): (?<msg>.*)" ]
    }
    mutate {
      gsub => ["datetime","  "," "]
    }
    date {
      match => [ "datetime", "MMM dd HH:mm:ss" ]
      timezone => "Asia/Ho_Chi_Minh"
    }
    mutate {
      replace => [ "message", "%{msg}" ]
    }
    mutate {
      remove_field => [ "msg", "datetime" ]
    }
    }
    if [prog] =~ /^filterlog$/ {  
    mutate {
      remove_field => [ "msg", "datetime" ]
    }
    grok {
      patterns_dir => "/etc/logstash/conf.d/patterns"
      match => [ "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
                 "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IPv4_SPECIFIC_DATA_ECN}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
                 "message", "%{PFSENSE_LOG_DATA}%{PFSENSE_IPv6_SPECIFIC_DATA}"]
    }
    mutate {
      lowercase => [ 'proto' ]
    }
    geoip {
      add_tag => [ "GeoIP" ]
      source => "src_ip"
      # Optional GeoIP database
      # Comment out the below if you do not wise to utilize and omit last three steps dealing with (recommended) suffix
      database => "/etc/logstash/GeoLite2-City.mmdb"
    }
      }
    }




    output { stdout { codec => rubydebug }
    	if [type] == "syslog2" {
          elasticsearch {
          hosts => ["http://10.10.1.166:9200"]
          index => "Pfsense1-%{+YYYY.MM.dd}"
       }
    }
    	else {
    	  elasticsearch {
    	  hosts => ["http://10.10.1.166:9200"]
          index => "Pfsense2-%{+YYYY.MM.dd}"
    	}
     }
    }

Badger · October 4, 2019, 6:31pm

Your output is conditional on the value of [type], but every event is assigned the same [type] by the input. Did you mean to make it conditional on [tags]?

TheSun · October 5, 2019, 2:42am

Sorry!! I want to somehow have my index created so that I can distinguish between index PFsens1 and index PFsense2.

system · November 2, 2019, 2:42am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.