Filter by port using pipe directive

Ben19 · October 6, 2015, 11:31am

Hello, I’m attempting to collect sflow logs from a number of
exporters that will be exporting and sending the traffic on UDP port 6434. I’m
using the pipe directive since I can specify the command setting, otherwise I’d
simply use the UDP directive with the port setting etc.

My issue is how would I differentiate this traffic from
other inputs? I don’t want to be use the IF [host] setting since I want to
syslog traffic from these hosts too on UDP 514.

My input .conf is below:

input {
pipe {
type => "sflow"
command => "/usr/local/bin/sflowtool_wrapper.sh -l -p 6343"
}
}

Thanks

magnusbaeck · October 6, 2015, 12:25pm

You mean you have other inputs that also use the sflow type? Consider adding a tag that differentiates these sflow messages from other sflow messages.

input {
  pipe {
    type => "sflow"
    command => "/usr/local/bin/sflowtool_wrapper.sh -l -p 6343"
    tags => ["mytag"]
  }
}

Then use a conditional on the tags field in your filter and/or output blocks:

if "mytag" in [tags] {
  ...
}

Ben19 · October 6, 2015, 12:35pm

We use NetFlow and Syslog which is sent to different
indexes, both are defined by the port.

This would be the first sflow input.

Ben19 · October 8, 2015, 2:24pm

So I would be happy to use the tags directive but that won't differentiate the ports.

magnusbaeck · October 8, 2015, 2:40pm

Is there a field containing the port number, or how is Logstash supposed to know about the ports that come into play?