Hello!
I've configured winlogbeat and filebeat on a windows host. Both filebeat and winlogbeat have the same logstash output. What I would like to do, and I what I am having trouble with is that I would like to apply different grok filters for each type, i.e one grok filter for all filbeat input and another grok filter for all winlogbeat input.
This is my current configuration.
input {
beats {
port => 5044
}
}
filter {
if [type] == "filebeat" {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:log_timestamp} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{NUMBER:port} %{NOTSPACE:username} %{IPORHOST:clientIP} %{NOTSPACE:userAgent} %{NOTSPACE:referer} %{NUMBER:response} %{NUMBER:subresponse} %{NUMBER:win32response} %{NUMBER:timetaken}"]
}
}
}
output {
elasticsearch {
hosts => "X.X.X.X:XXXX
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}
I changed the output to : { codec => rubydebug { metadata => true } } and saw that there was a type field that contained "filebeat". However, it doesn't seem to work either. It just seem to "ignore" the filbeat input.
If I run without the if-condition it correctly parses the message field from the filebeat input.
Any tips would be welcome.