I'm transitioning to logstash from an rsyslog config that ingests logs from a list of network devices (routers, switches, firewalls), then does something based on the source IP. Here's an abbreviated example:
if ($fromhost-ip == '10.250.0.73' or $fromhost-ip == '10.253.1.161' ) then @10.250.0.208
The way I was thinking about implementing this in logstash is adding a tag if the source IP matched. Would this be a similar config?
filter {
if [source] == '10.250.0.73' or [source] == '10.253.1.161' {
mutate {
add_tag => "network_device"
}
}
}
output {
if "network_device" in [tags] {
udp {
host => "10.250.0.208"
port => 514
}
}
}
Or is there a better way to do this? Can you do a regex =~ "(10.250.0.73|10.253.1.161)" or anything similar?
I'm testing looking for that specific tag and writing it out to a file but then also have a catch-all if nothing else matches and it's hitting that catch-all so I'm apparently not doing something right.
There are a lot of other log source types coming in so I didn't know if applying tags determined by source IP, message string, etc, is the best methodology (sorry, I'm just getting started on learning this) but I'd love to learn some tips if possible.
If you point path.config to a directory then all of the files in the directory (every file) is concatenated to create the configuration. Events are read from each input, run through all of the filters, then sent to all of the outputs (unless you use conditionals). Does that match your understanding?
But it's not catching that 'Test' tag (or maybe I'm doing it the wrong way?). All of the other rules I'd created that are based on strings in the message or tags set by Beats are working fine. It's just this one based on the source IP that I can't quite get.
Thank you again for your reply -- I really appreciate it!
Sorry, I should have tested it before asking. But it does look like that's the case. Not sure if that's the new syntax for 7.4, but [host] does work and [source] does not:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.