Help - Logstash multiple logs in single output

Hi,

Im currently stuck surrounding why my testfile is not outputting both types of logs (flow_logs and URL_logs). I've ran these both separately and they work fine

However once i run the following code below. Im only outputting URL logs only

Could anybody please assist?

input {
     syslog {
         port => 510
         type => "flow_logs"
    }
	syslog {
	     port => 511
         type => "url_logs"
    }
}    

filter {
 if [type] == "flow_logs" {
  grok  {
    match => { "message" => "%{NUMBER:Priority}>%{NUMBER:Version} %{NUMBER:Timestamp} %{WORD:Host} %{WORD:LogType} %{WORD:Action} src=%{IPV4:SourceIP} dst=%{IPV4:DestIP} mac=%{MAC:MAC} protocol=%{WORD:Protocol} sport=%{INT:Source_Port} dport=%{INT:Dest_Port}"} 
	}
  prune {
        whitelist_names => [ "^Priority$" , "^Version$" , "^Timestamp$" , "^Host$" , "^LogType$" , "^Action$" , "^SourceIP$" , "^DestIP$" , "^MAC$" , "^Protocol$" , "^Source_Port$" , "^Dest_Port$" ]
        }
    }
 if [type] == "url_logs" {
  grok  {
	match => { "message" => "<%{NUMBER:Priority}>%{NUMBER:Version} %{NUMBER:Timestamp} %{WORD:Host} %{WORD:LogType} src=%{IPV4:SourceIP}:%{IPORHOST:SourcePort} dst=%{IPV4:DestIP}:%{IPORHOST:DestPort} mac=%{MAC:MAC} (agent='%{DATA:User_Agent}' )?request: %{DATA:Request} %{GREEDYDATA:URL}..."}
	}
  prune {
        whitelist_names => [ "^Priority$" , "^Version$" , "^Timestamp$" , "^Host$" , "^LogType$" , "^SourceIP$" , "^SourcePort$" , "^DestIP$" , "^DestPort$" , "^MAC$" , "^User_Agent$" , "^Request$" , "^URL$" ]
        }
    }
}

output {
    microsoft-sentinel-logstash-output-plugin {
        create_sample_file => true
        sample_file_path => "/tmp/logstash/"
    }
}

Also attempted to use "ELSE IF [type] == "url_logs" "

This then only outputs the flow logs and not the url logs

Fixed. Sample fix limits amount of logs. Extracted to standard file.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.