Hi,
I'm transitioning to logstash from an rsyslog config that ingests logs from a list of network devices (routers, switches, firewalls), then does something based on the source IP. Here's an abbreviated example:
if ($fromhost-ip == '10.250.0.73' or $fromhost-ip == '10.253.1.161' ) then @10.250.0.208
The way I was thinking about implementing this in logstash is adding a tag if the source IP matched. Would this be a similar config?
filter {
if [source] == '10.250.0.73' or [source] == '10.253.1.161' {
mutate {
add_tag => "network_device"
}
}
}
output {
if "network_device" in [tags] {
udp {
host => "10.250.0.208"
port => 514
}
}
}
Or is there a better way to do this? Can you do a regex =~ "(10.250.0.73|10.253.1.161)" or anything similar?
I'm testing looking for that specific tag and writing it out to a file but then also have a catch-all if nothing else matches and it's hitting that catch-all so I'm apparently not doing something right.
There are a lot of other log source types coming in so I didn't know if applying tags determined by source IP, message string, etc, is the best methodology (sorry, I'm just getting started on learning this) but I'd love to learn some tips if possible.
Thanks!