Getting logs in other index

Blason · December 2, 2017, 5:19pm

Hi Guys,

I am kinda facing weird issue! I have configured two config file and have created two different indices which are indexing my bind and Apache logs.

However my bind logs are getting successfully parsed and even logstash-apache is showing Bind logs not sure why.

Here are the config

bind config

input {

##############STDIN

stdin {

type => "dnsmaldef"

}

##########STIN

   file {
   path => ["/var/log/named/queries.*"]
            start_position => "beginning"
            type => "dnsmaldef"
   }

}
output {
if [type] == "dnsmaldef" {

stdout {

codec => rubydebug

}

            elasticsearch {
                    hosts => ["dnsdf.isnlab.in:9200"]
                    index => "logstash-dnsmaldef-%{+YYYY.MM.dd}"
                    template => "/etc/logstash/logstash-template.json"
    }
            }

}

Apache config

input {
# add necessary input parameters

stdin {

}

           file {
   path => ["/var/log/httpd/access*"]
            start_position => "beginning"
   }

}

output {
# add necessary output parameters

stdout {

codec => rubydebug

}

                    elasticsearch {
                    hosts => ["dnsdf.isnlab.in:9200"]
                    index => "logstash-apache-%{+YYYY.MM.dd}"
                    template => "/etc/logstash/logstash-template.json"
    }

}

magnusbaeck · December 2, 2017, 6:34pm

See Logstash sending to all output hosts. Since that post was made Logstash 6 which supports multiple pipelines (if explicitly configured) is available.

Blason · December 2, 2017, 6:44pm

I am sorry I did not get anything out of that.. i am still not sure what went wrong with my pipeline.

Can you please elaborate more on this?

magnusbaeck · December 2, 2017, 8:49pm

You have a conditional wrapping the elasticsearch output in your Bind configuration file:

if [type] == "dnsmaldef" {
  ...
}

You don't have that kind of conditional wrapping the elasticsearch output in your Apache configuration file. Hence, events from the other file will be routed to that output.

Blason · December 3, 2017, 2:12am

OK - I disabled it and restarted the logstash and recreated the index-pattern but is the same

magnusbaeck · December 4, 2017, 6:20am

Please show your configuration and an example of an event that ended up in the wrong index. You can copy/paste the raw JSON document from Kibana's JSON tab.

Blason · December 11, 2017, 1:53pm

here is my config for apache.conf

input {
# add necessary input parameters

stdin {

}

           file {
            path => ["/var/log/httpd/access_*"]
            start_position => "beginning"
            type => "apache"
   }

}

filter {
if [type] == "apache" {
# for Apache Access logs
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
}
output {
# add necessary output parameters

stdout {

codec => rubydebug

}

            if [type] == "apache"   {
                    elasticsearch {
                    hosts => ["dnsdf.isnlab.in:9200"]
                    index => "logstash-apache-%{+YYYY.MM.dd}"
                                            }
                                    }

And here is log
92.168.5.102 - - [11/Dec/2017:08:58:57 +0530] "GET / HTTP/1.1" 200 44546 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36"

magnusbaeck · December 11, 2017, 2:23pm

Please answer my second question (the one about an example event). Also, what other configuration files do you have?

Blason · December 11, 2017, 2:37pm

Well you know I was playing with configuration and logs are not even getting indexed with said config file however stdin & stdout are showing proper indexes.

magnusbaeck · December 11, 2017, 3:03pm

Please answer all questions.

system · January 8, 2018, 3:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.