We have three servers. Each sends logs of one format. I am trying to make conditions for filtering logs from these servers using tags. But that does not work.
input {
beats {
port => 5044
type => beats
}
udp {
port => 6514
type => syslog
}
}
filter {
if ["server1", "server2", "server3"] in [tags] {
grok {
match => { "message" => "%{INT:Min}:%{BASE10NUM:Sec}-%{INT:Duration},(%{WORD:Event}|%{SPACE:Event}),%{INT:Level}" }
match => { "[log][file][path]" => "%{INT:TempYYMMDDHH}.log" }
}
} else {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
if "server1" in [tags] {
elasticsearch {
index => "server1-%{+YYYY.MM.dd}"
hosts => ["localhost:9200"]
}
} else if "server2" in [tags] {
elasticsearch {
index => "server2-%{+YYYY.MM.dd}"
hosts => ["localhost:9200"]
}
} else if "server3" in [tags] {
elasticsearch {
index => "server3-%{+YYYY.MM.dd}"
hosts => ["localhost:9200"]
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout {
codec => rubydebug
}
}
}Also tried this option
if "server1" in [tags] or "server2" in [tags] or "server3" in [tags] {
.............
.............
} else ......
Please help solve this problem!
Best regards!