Filter by port using pipe directive


(Ben) #1

Hello, I’m attempting to collect sflow logs from a number of
exporters that will be exporting and sending the traffic on UDP port 6434. I’m
using the pipe directive since I can specify the command setting, otherwise I’d
simply use the UDP directive with the port setting etc.

My issue is how would I differentiate this traffic from
other inputs? I don’t want to be use the IF [host] setting since I want to
syslog traffic from these hosts too on UDP 514.

My input .conf is below:

input {
pipe {
type => "sflow"
command => "/usr/local/bin/sflowtool_wrapper.sh -l -p 6343"
}
}

Thanks


(Magnus Bäck) #2

You mean you have other inputs that also use the sflow type? Consider adding a tag that differentiates these sflow messages from other sflow messages.

input {
  pipe {
    type => "sflow"
    command => "/usr/local/bin/sflowtool_wrapper.sh -l -p 6343"
    tags => ["mytag"]
  }
}

Then use a conditional on the tags field in your filter and/or output blocks:

if "mytag" in [tags] {
  ...
}

(Ben) #3

We use NetFlow and Syslog which is sent to different
indexes, both are defined by the port.

This would be the first sflow input.


(Ben) #4

So I would be happy to use the tags directive but that won't differentiate the ports.


(Magnus Bäck) #5

Is there a field containing the port number, or how is Logstash supposed to know about the ports that come into play?


(system) #6