Hello, I would like to use my existing working LS config file to handle other log sources but I'm not sure of the syntax to handle multiple tags and types. I tried to the second config file below but it did not work. Any ideas? Thanks in advance.
existing working conf file:
input {
beats {
port => "5043"
tags => ["aemlogs","fglam"]
type => "linux-logs"
}
}
output {
if ("aemlogs" in [tags]) {
redis {
data_type => "list"
key => "linux-beats"
congestion_threshold => "2200000"
}
}
}
second NOT working conf file:
input {
beats {
port => "5043"
tags => ["aemlogs","fglam"]
type => ["linux-logs","fglam_beats"]
}
}
output {
if ("aemlogs", "fglam" in [tags]) {
redis {
data_type => "list"
key => "linux-beats"
congestion_threshold => "2200000"
}
}
}
if "foo" in [tags] or "bar" in [tags] {
mutate { add_tag => [ "atLeastOne" ] }
}
if "foo" in [tags] and "bar" in [tags] {
mutate { add_tag => [ "both" ] }
}
Are you using pipelines? If not, and -f points to a directory, logstash will concatenate all the files in the directory to create the configuration. That means you cannot have two beats inputs on the same port number -- one will get an address already in use.
[quote="Badger, post:2, topic:167904"]
Thanks Badger, I'm not sure if I'm using a pipelines, although I do get that error message if I try to use the same port number on multiple inputs. this is my running command:
It matters if you need to conditional filters or outputs. If you have Windows event logs coming from one place, and syslog files from another and tomcat logs from somewhere else then tagging them at the source (i.e. filebeat) makes sense. You can then use the tags to put each set of logs through different filters.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.