Hi, I really need some help with logstash.
I a trying to filter messages based on content and send them to an alternative server for example:
{"type":"syslog","host":"1.1.1.1","@timestamp":"2021-03-08T13:18:55.722Z","message":"<14>Mar 8 14:04:21 myrouter1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 1.1.1.2/500->1.1.1.3/500 0x0 junos-ike 0x0 N/A N/
I want to pick out RT_FLOW_SESSION* with regex and tag the entry but I cannot seem to work out how to structure this.
my inputs and outputs are working fine, i have tested this using:
input {
syslog {
port => 514
}
filter {if [host] == "1.1.1.1"{
mutate { add_tag => [router]}}
I have a number of IPs to match, but I think filtering based on a regex will be more efficient.
Thanks in advance.