Elasticsearch creating different indices with identical data

I recently moved from ELK stack 7.X to 8.8.2. I'm using my old Logstash pipline confs. For some reason Elasticsearch/Kibana is showing each individual index but each index as the same data. I don't think its a dataview thing as each index appears to have the same data. I create the dataview and can see the same docs in each data view with the meta fields listing just one index.

These are the output fields from my pipliines

  elasticsearch {
        hosts           => ["https://X.X.X.X:9200"]
        manage_template => true
        #ilm_enabled => "auto"
        #ilm_rollover_alias => "cisco-asa"
        #ilm_pattern => "000001"
        #ilm_policy => "cisco_asa_rollover_policy"
        index => "logstash-asa-%{+YYYY.MM.dd}"
        ssl => true
        ssl_verification_mode => full
        ssl_certificate_authorities => "/etc/logstash/certs/http_ca.crt"
        user => "logstash_writer"
        password => "mm8ekmNQGokjtRT"
        #document_type   => "%{type}"
        #document_id     => "%{fingerprint}"

    elasticsearch {
        hosts           => ["https://X.X.X.X:9200"]
        manage_template => true
        #ilm_enabled => "auto"
        #ilm_rollover_alias => "cisco-ios"
        #ilm_pattern => "000001"
        #ilm_policy => "cisco_ios_rollover_policy"
        index => "logstash-ios-%{+YYYY.MM.dd}"
        ssl => true
        ssl_verification_mode => full
        ssl_certificate_authorities => "/etc/logstash/certs/http_ca.crt"
        user => "logstash_writer"
        password => "mm8ekmNQGokjtRT"
        #document_type   => "%{type}"
        #document_id     => "%{fingerprint}"

Are those outputs in the same Logstash configuration file?

If yes, then this is expected as you do not have any conditional, so every input you have will be sent to every output you have.

You will need to use conditionals based on some field or use multiple pipelines.

Sorry, no they are not, they are different .conf pipeline files. Below is one of the .conf files. Please excuse the sloppy comments and what not :smiley:

input {
  # Receive Cisco ASA logs on the standard syslog UDP port 514
  udp {
    port => "8514"
    type => "cisco-asa"

filter {
  if [type] == "cisco-asa" {
    # Split the syslog part and Cisco tag out of the message
    grok {
      patterns_dir => ["/etc/logstash/conf.d/patterns/asa/patterns-asa"]
      match => ["message", "%{CISCO_TAGGED_SYSLOG} %{GREEDYDATA:cisco_message}"]

    # Parse the syslog severity and facility
#    syslog_pri { }

    # Parse the date from the "timestamp" field to the "@timestamp" field
    #date {
    #  match => ["timestamp",
    #    "MMM dd HH:mm:ss",
    #    "MMM  d HH:mm:ss",
    #    "MMM dd yyyy HH:mm:ss",
    #    "MMM  d yyyy HH:mm:ss"
    #  ]
    #  timezone => "America/Chicago"

    # Clean up redundant fields if parsing was successful

    if "_grokparsefailure" in [tags] {
     mutate {
        rename => ["cisco_message", "failed_1"]
   } else {
        mutate {
                rename => ["cisco_message", "message"]

    # Extract fields from the each of the detailed message types
    # The patterns provided below are included in Logstash since 1.2.0
    grok {
      patterns_dir => ["/etc/logstash/conf.d/patterns/asa/patterns-asa"]
      match => [
        "message", "%{CISCOFW106001}",
        "message", "%{CISCOFW106012_106017}",
        "message", "%{CISCOFW106006_106007_106010}",
        "message", "%{CISCOFW106014}",
        "message", "%{CISCOFW106015}",
        "message", "%{CISCOFW106016}",
        "message", "%{CISCOFW106021}",
        "message", "%{CISCOFW106023}",
        "message", "%{CISCOFW106100}",
        "message", "%{CISCOFW110002}",
        "message", "%{CISCOFW111001_111007}",
        "message", "%{CISCOFW111008}",
        "message", "%{CISCOFW111010}",
        "message", "%{CISCOFW113003}",
        "message", "%{CISCOFW113004_113009}",
        "message", "%{CISCOFW113011}",
        "message", "%{CISCOFW113019}",
        "message", "%{CISCOFW113022_113023}",
        "message", "%{CISCOFW120003_120011}",
        "message", "%{CISCOFW199001_199005}",
        "message", "%{CISCOFW201010}",
        "message", "%{CISCOFW209005}",
        "message", "%{CISCOFW302010}",
        "message", "%{CISCOFW302013_302014_302015_302016}",
        "message", "%{CISCOFW302020_302021}",
        "message", "%{CISCOFW303002}",
        "message", "%{CISCOFW302003_302004}",
        "message", "%{CISCOFW305006}",
        "message", "%{CISCOFW305011}",
        "message", "%{CISCOFW305013}",
        "message", "%{CISCOFW308001}",
        "message", "%{CISCOFW313001_313004_313008}",
        "message", "%{CISCOFW313005}",
        "message", "%{CISCOFW321006}",
        "message", "%{CISCOFW313009}",
        "message", "%{CISCOFW315011}",
        "message", "%{CISCOFW322004}",
        "message", "%{CISCOFW341004_341011}",
        "message", "%{CISCOFW402117}",
        "message", "%{CISCOFW402119}",
        "message", "%{CISCOFW405001_405003}",
        "message", "%{CISCOFW409023}",
        "message", "%{CISCOFW411001_411004}",
        "message", "%{CISCOFW419001}",
        "message", "%{CISCOFW419002}",
        "message", "%{CISCOFW434002_434003}",
        "message", "%{CISCOFW500004}",
        "message", "%{CISCOFW505001_505006_323001_323006}",
        "message", "%{CISCOFW505014_505015}",
        "message", "%{CISCOFW602101}",
        "message", "%{CISCOFW602303_602304}",
        "message", "%{CISCOFW604103}",
        "message", "%{CISCOFW606001_606004}",
        "message", "%{CISCOFW607001}",
        "message", "%{CISCOFW710001_710002_710003_710005_710006}",
        "message", "%{CISCOFW710004}",
        "message", "%{CISCOFW711004}",
        "message", "%{CISCOFW713172}",
        "message", "%{CISCOFW717027}",
        "message", "%{CISCOFW720002_720006_721001}",
        "message", "%{CISCOFW722051_113039_722022}",
        "message", "%{CISCOFW722001_722003}",
        "message", "%{CISCOFW722028}",
        "message", "%{CISCOFW722033}",
        "message", "%{CISCOFW725001_725002_725007}",
        "message", "%{CISCOFW725003}",
        "message", "%{CISCOFW725016}",
        "message", "%{CISCOFW733100}",
        "message", "%{CISCOFW733101}",
        "message", "%{CISCOFW733102_733103}",
        "message", "%{CISCOFW734001_734004}",
        "message", "%{CISCOFW735015_735026}",
        "message", "%{CISCOFW737034}",
        "message", "%{CISCOFW771002}"
        add_tag => [ "matched" ]


    geoip {
      source => "src_ip"
      target => "geoip"
    geoip {
      source => "dst_ip"
      target => "dst_geoip"

    if "matched" in [tags] {
     mutate {
        remove_field => ["message"]
   } else {
        mutate {
        rename => ["message", "failed_2"]


output {
  # Archive Cisco ASA firewall logs on disk based on the event's timestamp
  # Results in directories for each year and month, with conveniently-named log files, like:
  # /path/to/archive/cisco-asa/2014/2014-09/cisco-asa-2014-09-24.log
#  file {
#    path => "/var/log/logstash/%{type}/%{+YYYY-MM}/%{type}-%{+YYYY-MM-dd}.log"
#  }

  elasticsearch {
        hosts           => ["https://X.X.X.X:9200"]
        manage_template => true
        #ilm_enabled => "auto"
        #ilm_rollover_alias => "cisco-asa"
        #ilm_pattern => "000001"
        #ilm_policy => "cisco_asa_rollover_policy"
        index => "logstash-asa-%{+YYYY.MM.dd}"
        ssl => true
        ssl_verification_mode => full
        ssl_certificate_authorities => "/etc/logstash/certs/http_ca.crt"
        user => "logstash_writer"
        password => "PASS"
        #document_type   => "%{type}"
        #document_id     => "%{fingerprint}"

  #stdout  {
  #     codec => rubydebug


Here is the other

# INPUT - Logstash listens on port 8515 for these logs.

input {
  udp {
    port => "8515"
    type => "syslog-cisco"


# FILTER - Try to parse the cisco log format
# Configuration:
#   service timestamps log datetime msec localtime
#   logging source-interface Loopback0
#   logging host transport udp port 8515
#   logging trap 6

filter {
  # NOTE: The frontend logstash servers set the type of incoming messages.
  if [type] == "syslog-cisco" {
    # The switches are sending the same message to all syslog servers for redundancy, this allows us to
    ## only store the message in elasticsearch once by generating a hash of the message and using that as
    ## the document_id.
    fingerprint {
      source              => [ "message" ]
      method              => "SHA1"
      key                 => "This is my super secret passphrase for uniqueness."
      concatenate_sources => true

    # Parse the log entry into sections.  Cisco doesn't use a consistent log format, unfortunately.
    grok {
      # There are a couple of custom patterns associated with this filter.
      patterns_dir => [ "/etc/logstash/conf.d/patterns/ios" ]

      match => [
        # IOS
        "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence})?:( %{HOSTNAME:hostname}:)? (%{INT:cisco_seq_num}: )?.?%{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: ( )?%{GREEDYDATA:message}",
        "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence})?:( %{HOSTNAME:hostname}:)? (%{INT:cisco_seq_num}: )?.?%{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: ( )?%{GREEDYDATA:message}"

      overwrite => [ "message" ]

      add_tag => [ "ciscoios" ]

      remove_field => [ "syslog5424_pri", "@version" ]

#Disambiguate timezones
                gsub => [
               "log_date", "EST|EDT", "EST5EDT",
               "log_date", "CST|CDT", "CST6CDT",
               "log_date", "MST|MDT", "MST7MDT",
               "log_date", "PST|PDT", "PST8PDT"

  # If we made it here, the grok was sucessful
  if "ciscoios" in [tags] {
    date {
      match => [

        # IOS
        "MMM dd HH:mm:ss.SSS ZZZ",
        "MMM  d HH:mm:ss.SSS ZZZ",
        "MMM dd HH:mm:ss ZZZ",
        "MMM  d HH:mm:ss ZZZ",
        "MMM dd HH:mm:ss.SSS",
        "MMM  d HH:mm:ss.SSS",

        # Hail marry
      timezone => "America/Chicago"
      remove_field => ["tag_on_failure"]

    # Add the log level's name instead of just a number.
    mutate {
      gsub => [
        "severity_level", "0", "0 - Emergency",
        "severity_level", "1", "1 - Alert",
        "severity_level", "2", "2 - Critical",
        "severity_level", "3", "3 - Error",
        "severity_level", "4", "4 - Warning",
        "severity_level", "5", "5 - Notification",
        "severity_level", "6", "6 - Informational"

    # Translate the short facility name into a full name.
    # NOTE:  This is a third party plugin: logstash-filter-translate
    translate {
      field       => "facility"
      destination => "facility_full"

      dictionary => [
        "AAA", "Authentication, authorization, and accounting",
        "AAA_CACHE", "Authentication, authorization, and accounting cache",
        "AAAA", "TACACS+ authentication, authorization, and accounting security",
        "AAL5", "ATM Adaptation Layer 5",
        "AC", "Attachment circuit",
        "ACCESS_IE", "Access information element",
        "ACE", "Access control encryption",
        "ACL_ASIC", "Access control list ASIC",
        "ACLMERGE", "Access control list merge",
        "ACLMGR", "Access control list manager",
        "ADAPTER", "CMCC adapter task",
        "ADJ", "Adjacency subsystem",
        "AESOP_AIM", "Service engine advanced interface module",
        "AFLSEC", "Accelerated Flow Logging Security",
        "AHDLC_TRINIAN", "PPP in HDLC-like framing device driver",
        "AICMGMT", "Alarm interface controller management",
        "AIM", "Advanced Interface Module (AIM)",
        "AIP", "ATM Interface Processor",
        "ALARM", "Telco chassis alarm related",
        "ALC", "ATM line card (ALC)",
        "ALIGN", "Memory optimization in Reduced Instruction Set Computer (RISC) processor",
        "ALPS", "Airline Protocol Support",
        "AMD79C971_FE", "Am79C971 Fast Ethernet device driver",
        "AMDP2_FE", "AMDP2 Ethernet and Fast Ethernet",
        "AP", "Authentication Proxy (AP)",
        "APPFW", "APPFW for HTTP subsystem",
        "APS", "Automatic Protection Switching",
        "ARAP", "Apple Remote Access Protocol (ARAP)",
        "ARCHIVE_CONFIG", "Archive configuration-related",
        "ARCHIVE_DIFF", "Archive Diff and Rollback-related",
        "AS5400", "Cisco AS5400 platform",
        "AS5400_ENVM", "Cisco AS5400 environmental monitor",
        "ASPP", "Asynchronous Security Protocol (ASPP)",
        "AT", "AppleTalk (AT)",
        "ATM", "Asynchronous Transfer Mode",
        "ATM_AIM", "ATM advanced module",
        "ATMCES", "ATM access concentrator PCI port adapter driver",
        "ATMCORE", "ATM core",
        "ATMLC", "Cisco 7300 ATM line card software",
        "ATMOC3", "ATM OC-3 network module",
        "ATMOC3POM", "ATM- OC3-POM module",
        "ATMPA", "ATM port adapter",
        "ATMSIG", "ATM signaling subsystem",
        "ATMSPA", "ATM Shared Port Adapter",
        "ATMSSCOP", "ATM Service Specific Connection Oriented Protocol (SSCOP)",
        "ATOM_NP_CLIENT", "Any Transport over MPLS NP client",
        "ATOM_SEG", "Any Transport Over MPLS (AToM) Segment Handler",
        "ATOM_TRANS", "Layer 2 Transport over MPLS",
        "AUDIT", "Audit feature",
        "AUTORP", "PIMv2 AUTORP",
        "AUTOSEC", "AutoSecure",
        "AUTOSHUT", "Autoshut",
        "AUTOSTATE", "Autostate feature",
        "BACKPLANE_BUS_ASIC", "Backplane bus ASIC",
        "BAMBAM", "One-port Fast Ethernet with coprocessor assist",
        "BAP", "PPP Bandwidth Allocation Protocol (BAP)",
        "BAT", "Power supply (BAT)",
        "BCM", "Broadcom switch controller",
        "BCM3220", "Cable modem MAC controller interface",
        "BCM56XX", "BCM56XX control layer",
        "BCM_GEWAN", "Messages related to the Cisco 3800 system controller",
        "BERT", "Bit error rate tester (BERT)",
        "BFD", "Bidirectional Forwarding Detection",
        "BFDFSM", "BFD finite state machine",
        "BGP", "Border Gateway Protocol",
        "BGP_MPLS", "BGP MPLS common",
        "BIT", "Dynamic bitlist",
        "BOOMERANG", "Boomerang distributed reverse proxy server",
        "BRI", "ISDN Basic Rate Interface",
        "BRIMUX", "Cisco AS5200 BRIMUX board",
        "BSC", "Binary Synchronous Communications protocol",
        "BSQ", "Buffer status queue processing",
        "BSR", "Bootstrap router",
        "BSTUN", "Block serial tunneling (BSTUN)",
        "BUNDLES", "Bundles",
        "C1400", "Cisco 1400 platform",
        "C_GIGE", "Dual-port Gigabit Ethernet back card subsystem",
        "C10K", "Cisco 10000",
        "C10K_APS", "NSP APS",
        "C10KATM", "Cisco 10000 ATM",
        "C10KCARDISSU", "Cisco 10000 Card ISSU",
        "C10KCHE1T1", "Cisco 10000 T1 line card",
        "C10KCHKPT", "Cisco 10000 Checkpoint facility",
        "C10KET", "Cisco 10000 ET",
        "C10KEVENTMGR", "Event Manager subsystem",
        "C10KGE", "Gigabit Ethernet subsystem",
        "C10KHHCT3", "Cisco 10000 HH Channelized T3",
        "C10KINT", "Cisco 10000 interrupt infrastructure",
        "C10KISSU", "Cisco 10000 In Service Software Upgrade",
        "C10K_IEDGE", "Cisco 10000 iEdge",
        "C10K_LFI_GENERAL", "Cisco 10000 Link Fragmentation and Interleaving",
        "C10K_MULTILINK_FRAGSIZE_BELOW_MIN_WARNING", "Cisco 10000 PXF Multilink fragment size below minimum warning",
        "C10K_QOS_GENERAL", "Cisco 10000 Quality of Service (QoS)",
        "C10K_QUEUE_CFG_GENERAL", "Cisco 10000 PXF queuing configuration",
        "C10K_TOASTER", "Cisco 10000 toaster",
        "C1400_PCI", "Protocol control information (PCI) bus for Cisco 1400 platform",
        "C1600", "Cisco 1600 platform",
        "C1700", "Cisco 1700 platform",
        "C1700_EM", "Cisco 1700 VPN module hardware accelerator for IP security",
        "C1800", "Cisco 1800 platform",
        "C1800_HW_CRYPTO", "Cisco 1800, Cisco 1810 Motorola SEC 2.0",
        "C2400_DSX1", "Cisco 2400 DSX1 subsystem",
        "C2600", "Cisco 2600 platform",
        "C2600_MAINBOARD_ASYNC_PQUICC", "MPC860 quad integrated communications controller for the Cisco 2600 platform",
        "C2950", "Catalyst 2950 series switch",
        "C29ATM", "Catalyst 2900XL ATM module",
        "C2KATM", "Catalyst 2820 ATM module",
        "C3200_FE", "Cisco 3200 FEC",
        "C3600", "Cisco 3600 platform",
        "C3800", "Cisco 3800 platform",
        "C3800_ENVM", "Environmental",
        "C3825", "Cisco 3825 platform",
        "C4GWY_DSPRM", "DSP Resource Manager",
        "C4K", "Catalyst 4000 platform",
        "C542", "Voice driver for modular access routers",
        "C5421", "Voice over IP",
        "C54x", "VoIP DSP driver",
        "C54X", "VoIP driver",
        "C5510", "Voice Over IP (VoIP) driver",
        "C5RSP", "Cisco Catalyst 5000 platform",
        "C6KENV", "Cisco Catalyst 6500 environmental system",
        "C6K_MWAM_CENTRALIZED_CONFIG", "Multiprocessor WAN Application Module (MWAM) centralized configuration",
        "C6KPWR", "Cisco Catalyst 6500 power control system",
        "C6MSFC", "C6MSFC (Draco)",
        "C6SUP", "C6SUP-specific",
        "C7200", "Cisco 7200 platform - deleted for 12.2",
        "C7200_TDM", "Cisco 7200 midplane TDM bus",
        "C7600_RSP", "Cisco 7600 Route Switch Processor",
        "C7600_SIP200", "SPA Interface Processor 200",
        "C7600_SIP200_MP", "Cisco 7600, Catalyst 6500 SIP-200 Multiprocessing",
        "C7600_SIP200_SPIRX", "Cisco 7600, Catalyst 6500 SIP-200 SPI4.2 bus ingress interface",
        "C7600_SIP200_SPITX", "Cisco 7600, Catalyst 6500 SIP-200 SPI4.2 bus egress interface",
        "C7600_SSC600", "Services SPA Carrier Card (SSC600)",
        "C830_HW_CRYPTO", "C830 Hifn",
        "C870_FE", "Cisco 870 Fast Ethernet",
        "C870_HW_CRYPTO", "Cisco 850, Cisco 870 Motorola SEC 1.0",
        "C950", "Cisco 950",
        "CAIM", "Compression Advanced Interface Module (CAIM)",
        "CALL_CONTROL", "Call control",
        "CALL_HOME", "Call Home",
        "CALL_MGMT", "Call management subsystem",
        "CALLPROG", "Call progress notification subsystem",
        "CALLRECORD", "Modem Call Record",
        "CALLTREAT", "Call treatment",
        "CALLTREAT_NOSIGNAL", "Call Treatment (TREAT)",
        "CALLTRKR", "Call Tracker subsystem",
        "CAMP", "Cooperative Asymmetric Multiprocessing",
        "CAPI", "Card API",
        "CAPI_EC", "Card or EtherChannel limitation",
        "CARDMGR", "SIP-400 Card Manager (data plane)",
        "CARRIER", "DFC carrier",
        "CASA", "Cisco Appliance and Services Architecture (CASA)",
        "CBUS", "CiscoBus controller",
        "CBUS_ATTN", "CMCC CIP for Cisco bus controller statistics routine",
        "CBUS_WRITE", "CMCC CIP for Cisco bus controller write support",
        "CCA", "CMCC CIP for channel card adapter",
        "CCH323", "Call Control for H.323",
        "CCPROXY", "H.323 proxy",
        "CDM", "Cable Data Modem subsystem",
        "CDMA_PDSN", "CDMA PDSN",
        "CDNLD_CLIENT", "Client NRP2 configuration download",
        "CDNLD_SERVER", "Server NSP configuration download",
        "CDP", "Cisco Discovery Protocol (CDP)",
        "CDSX_MODULE", "Network module",
        "CE3", "CE3 port adapter (CE3)",
        "CEIPNM", "Circuit Emulation over IP Network Module",
        "CERF", "Cache Error Recovery Function (CERF)",
        "CES", "Circuit Emulation Service (CES)",
        "CES_CLIENT", "Client circuit emulation service (CESt",
        "CES_CONN", "TDM connection",
        "CFG", "Invalid Cisco 1840 configuration",
        "CFGMGR", "Configuration Manager",
        "CFIB", "Constellation FIB",
        "CFM", "Connectivity Fault Management",
        "CHANNEL_BANK", "Channel Bank",
        "CHARLOTTE", "Dual OC-3 PoS port adapter",
        "CHKPT", "Checkpoint facility",
        "CHOC12", "CHOC12 port adapter",
        "CHOPIN", "Versatile Interface Processor (VIP) Multi-channel Port Adapter",
        "CHOPIN_MAINBOARD_ASYNC_PQII", "Chopin Main Board Asynchronous driver",
        "CHSTM1", "CHSTM1",
        "CI", "Cisco 7500 platform chassis interface",
        "CIOS", "CMCC channel adapter Cisco IOS wrapper",
        "CIP and CIP2", "Channel Interface Processor (CIP) and enhanced CIP",
        "CIPDUMP", "CIP core dump",
        "CIRRUS", "CD2430 asynchronous controller",
        "CIRRUS_PM", "Slow-speed asynchronous/synchronous port module",
        "CLAW", "CMCC CIP for Common Link Access for Workstations (CLAW) facility_full",
        "CLEAR", "Clear facility",
        "CLIENT_CLOCK_SYNC", "Clock synchronization server",
        "CLNS", "OSI Connectionless Network Service",
        "CLOCK", "Clock and calendar",
        "CLOCKSW", "Cisco 6400 network clocking",
        "CLS", "Cisco link services (CNS)",
        "CLSDR", "Cisco link services (CNS) driver",
        "CM622_CM155", "ATM OC12 and QOC3 line card driver",
        "CMAPP", "Call Manager application",
        "CMBPKM", "Multimedia Cable Network System Partners, Ltd. (MNCNS), baseline privacy key management",
        "CMCC", "Cisco Mainframe Channel Connection (CMCC)",
        "CM_DSPRM", "Digital Signal Processor Resource Manager (DSPRM)",
        "CM_MONITOR", "UBR900 Cable Access Router Personal Monitor",
        "CMP", "Cluster Membership Protocol",
        "CMPCTG", "CMCC Logical Link Control Transmission Group",
        "CNS", "Cisco Networking Services (CNS)",
        "CNS_AGENT_CFGCHG", "Cisco Network Service (CNS) Configuration Change Agent",
        "CNSAD_IPSEC_AGENT", "Cisco Network Service (CNS)/AD IPsec Agent",
        "CNSES", "Cisco Network Services Event Service client",
        "COBALT", "COBALT",
        "COMMON_FIB", "CEF address family independent (FIB)",
        "COMP", "Point-to-point compression",
        "CONFIG", "CMCC Channel Interface Processor (CIP) messages for the configuration processing facility",
        "CONST_BOOT", "Constellation boot",
        "CONST_DIAG", "On-line diagnostics",
        "CONST_V6", "IP version 6",
        "CONTROLLER", "Controller",
        "COPTMONMIB", "Cisco Optical Monitoring MIB",
        "COT", "Continuity test (COT)",
        "COUGAR_EHSA", "Pulse amplitude modulation (PAM) port driver",
        "CP", "Control plane protection notification",
        "CPAD", "Compression service adapter (CSA)",
        "CPE_MMI", "Customer Premises Equipment Modem Management Interface",
        "CPM", "Combo Port Module (CPM) device driver",
        "CPOS", "Packet-over-SONET",
        "CPU_INTF_FPGA", "CPU Interface FPGA",
        "CPU_MONITOR", "CPU monitor",
        "CRYPTO", "Encryption",
        "CRYPTO_HA", "Crypto High Availability",
        "CRYPTO_HA_IKE", "Crypto High Availability",
        "CRYPTO_HA_IPSEC", "Crypto High Availability",
        "CSG", "Content Services Gateway",
        "CSM", "Call switching module",
        "CSM_TGRM", "CSM TGRM interaction",
        "CSM_TRUNK", "Call switching trunk manager",
        "CSM_VOICE", "Call switching mode (CSM) voice subsystem",
        "CT3", "Channelized T3 (CT3) port adapter",
        "CTA", "CMCC CIP for the channel transport architecture device task/mapper",
        "CTLPROVIDERSERV", "CTL provider service",
        "CTRC", "Cisco Transaction Connection",
        "CWAN_ALARM", "Constellation WAN alarm",
        "CWAN_ATM", "Constellation WAN ATM",
        "CWAN_HA", "WAN module High Availability",
        "CWAN_QINQ", "Constellation CWAN-QINQ linecard",
        "CWAN_RP", "Constellation WAN ATM Route Processor driver",
        "CWAN_SP", "Constellation WAN ATM Switch Processor driver",
        "CWAN_SPA", "Shared Port Adapter on OSR",
        "CWANLC", "Constellation WAN line card",
        "CWANLC_ATM", "Constellation WAN ATM Route Processor driver",
        "CWAN_POSEIDON", "Optical Services Module (OSM) GE-WAN Route Processor (RP) driver",
        "CWPA", "Route Processor for Constellation Supervisor router module",
        "CWPABRIDGE", "CWPA bridging",
        "CWRMP", "Wireless radio point-to-multipoint driver",
        "CWRPSPA", "Shared Port Adapter on OSR RP",
        "CWRSU", "Wireless radio point-to-multipoint subscriber unit (SU)",
        "CWRTEST", "Wireless radio point-to-multipoint test driver",
        "CWSLC", "Constellation WAN SiByte module",
        "CWTLC", "Constellation Supervisor router module line card",
        "CWTLC_ATM", "ATM line card for Constellation Supervisor router module",
        "CWTLC_ATOM", "Constellation WAN Toaster linecard - AToM",
        "CWTLC_CHOC", "Cyclops Channelized OC48/OC12-related",
        "CWTLC_CHOC_DSX", "Optical Services Module (OSM) CHOC DSX LC common",
        "CWTLC_CHOCX", "Optical Services Module (OSM) Channelized OC12/OC3 Module",
        "CWTLC_GEWAN", "Gigabit Ethernet WAN Module",
        "CWTLC_QOS", "Optical Services Module (OSM) Supervisor line card QoS",
        "CWTLC_RP", "Catalyst 6500 Series Switch and Cisco 7600 Series Router WAN Toaster-based Module Route Processor",
        "DAS_ENV", "RSC environmental monitor subsystem",
        "DBCONN", "Database Connection",
        "DBUS", "Data bus",
        "DCU", "ATM access concentrator PCI port adapter",
        "DEBUGGER", "Debug mode",
        "DEC21140", "DEC21140 Fast Ethernet controller",
        "DFC", "Dial feature card",
        "DFC_CARRIER", "Dial feature card carrier",
        "DFP", "Dynamic Feedback Protocol",
        "DHCP", "Dynamic Host Configuration Protocol",
        "DHCP_SNOOPING", "DHCP snooping",
        "DHCPD", "Dynamic Host Configuration Protocol (DHCP) server",
        "DHCPV6C", "DHCPv6 client",
        "DHCPV6S", "DHCPv6 server",
        "DIAG", "CMCC CIP for diagnostic testing",
        "DIALER", "Dial-on-demand routing",
        "DIALPEER_DB", "Dial peer configuration",
        "DIALSHELF", "Dial shelf",
        "DIRECTOR", "Director server",
        "DISKMIRROR", "NSP disk mirror",
        "DLC", "Data-link control",
        "DLSWC", "Data-link switching (DLSw)",
        "DLSWMasterSlave", "Data-link switching (DLSw) core",
        "DLSWP", "Data-link switching (DLSw) peer module",
        "DM", "Diagnostic Monitor or Dispatch Manager",
        "DMA", "Direct memory access",
        "DMTDSL", "Digital/discrete multitone digital subscriber line (DMTDSL)",
        "DNET", "DECnet",
        "DNLD", "Auto-config/download",
        "DNSSERVER", "Domain Name System (DNS) server",
        "DOSFS", "DOS file system",
        "DOS_TRACK", "IP source tracker",
        "DOT11", "802.11 subsystem",
        "DOT1Q", "802.1q",
        "DOT1X", "802.1X authorization",
        "DOT1X_MOD", "Messages encountered in platform dependent code for 802.1x",
        "DP83815", "DP83815 10/100 Mbps Integrated PCI Ethernet Media Access Controller",
        "DPM", "AS5200 T1 BRIMUX",
        "DRIP", "Duplicate Ring Protocol",
        "DRP", "Director Response Protocol",
        "DRVGRP", "Interface driver",
        "DS3E3SUNI", "DS3E3SUNI driver",
        "DS_MODEM", "FB modem card",
        "DS_TDM", "Dial shelf time-division multiplexing",
        "DS1337", "DS1337 RTC",
        "DSA", "Delayed stop accounting",
        "DSC", "Dial shelf controller (DSC)",
        "DSC_ENV", "Cisco AS5800 environment monitor",
        "DSC_REDUNDANCY", "Cisco AS5800 dial shelf controller (DSC) redundancy",
        "DSCC4", "DSCC4 driver",
        "DSCCLOCK", "Dial shelf controller (DSC) clock",
        "DSCEXTCLK", "Dial shelf controller (DSC) clock",
        "DSCREDCLK", "Dial shelf controller (DSC) redundancy clock",
        "DSI", "Cisco AS5800 dial shelf interconnect board",
        "DSIP", "Distributed system interconnect protocol",
        "DSIP_IOSDIAG", "DSIP diagnostic test",
        "DSIPPF", "Nitro Interconnect Protocol",
        "DSLSAR", "DSL segmentation and reassembly",
        "DSM", "DSP Stream Manager",
        "DSMP", "DSP Stream Manager",
        "DSP_CONN", "TDM connection",
        "DSPDD", "Digital Signal Processor Device Driver (DSPDD)",
        "DSPDUMP", "Digital Signal Processor crash dump facility",
        "DSPFARM", "DSP resource management",
        "DSPRM", "Digital Signal Processor Device Driver (DSPDD)",
        "DSPU", "Downstream physical unit",
        "DSX0", "CT1 RBS time slot status",
        "DSX1", "Channelized E1 (Europe) and T1(US) telephony standard",
        "DS_TDM", "Dial shelf time-division multiplexing (TDM)",
        "DSXPNM", "TE3 network module",
        "DTP", "Dynamic Trunking Protocol filtering",
        "DUAL", "Enhanced Interior Gateway Routing Protocol",
        "DVMRP", "Distance Vector Multicast Routing Protocol",
        "E1T1_MODULE", "E1T1 module",
        "EAP", "Extensible Authentication Protocol",
        "EARL", "Enhanced Address Recognition Logic",
        "EARL_ACL_FPGA", "Enhanced Address Recognition Logic ACL FPGA",
        "EARL_DRV_API", "EARL driver API",
        "EARL_L2_ASIC", "Enhanced Address Recognition Logic Layer 2 ASIC",
        "EARL_L3_ASIC", "Enhanced Address Recognition Logic Layer 3 ASIC",
        "EARL_NETFLOW", "Enhanced Address Recognition Logic NetFlow",
        "EC", "EtherChannel, Link Aggregation Control Protocol (LACP), and Port Aggregation Protocol (PAGP)",
        "PXF_GEC", "PXF EtherChannel",
        "PXF_GRE", "Parallel eXpress Forwarding (PXF) GRE tunnel-related",
        "PXF_NAT", "Parallel eXpress Forwarding (PXF) Network Address Translation (NAT)-related",
        "PXF_QOS", "Parallel eXpress Forwarding (PXF) Quality of Service (QoS)-related",
        "PXF_VRFS", "Parallel eXpress Forwarding (PXF) VRF selection-specific",
        "QA", "Queue and accumulator",
        "QEM", "QEM driver",
        "QLLC", "Qualified Logical Link Control",
        "QM", "Quality of service management",
        "QNQ", "Q-in-Q",
        "QOS", "Quality of Service",
        "QOSMGR", "Quality of Service (QoS) manager",
        "QUICC", "MC68360 quad integrated communications controller",
        "WSIPC", "Windstar IPC",
        "X25", "X.25",
        "XCCTSP_VOICE", "External Call Control Telephony Service Provider",
        "XCPA", "Mainframe Channel Port Adapter",
        "XCVR", "Transponder",
        "XDR", "eXternal Data Representation",
        "XDSDLWIC", "Cisco 2600 series and 3600 series xDSL drivers",
        "XTAGATM", "Extended Tag ATM (XTagATM)",
        "Y88E8K", "Yukon 88E8000 E/FE/GE controller",
        "ZAM", "Zenith Alarm Management"
    } # translate
  } # if

#       if "_grokparsefailure" not in [tags] {
#          mutate {
#            remove_field => ["message"]
#                 }
#        }

} # filter

output {
  # Something went wrong with the grok parsing, don't discard the messages though
#  if "_grokparsefailure" in [tags] {
#    file {
#      path => "/tmp/fail-%{type}-%{+YYYY.MM.dd}.log"
#    }
#  }

  # The message was parsed correctly, and should be sent to elasicsearch.
#  if "ciscoios" in [tags] {
 #   file {
  #    path => "/tmp/%{type}-%{+YYYY.MM.dd}.log"
   # }

    elasticsearch {
        hosts           => ["https://X.X.X.X:9200"]
        manage_template => true
        #ilm_enabled => "auto"
        #ilm_rollover_alias => "cisco-ios"
        #ilm_pattern => "000001"
        #ilm_policy => "cisco_ios_rollover_policy"
        index => "logstash-ios-%{+YYYY.MM.dd}"
        ssl => true
        ssl_verification_mode => full
        ssl_certificate_authorities => "/etc/logstash/certs/http_ca.crt"
        user => "logstash_writer"
        password => "PASS"
        #document_type   => "%{type}"
        #document_id     => "%{fingerprint}"

#  stdout  {
 #      codec => rubydebug
#  }

#  }

Unless you are using pipelines.yml to specify multiple distinct pipelines, all config files are concatenated into a single pipeline. Data from all inputs will then go to all outputs unless these are controlled by conditional just like your filter sections are.

Oh goodness youre right! Sorry its been a while since I had to touch this stuff. Thanks for pointing me in the right direction, you can close this thread.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.