How does Logstash process Configs? Order that is processes input?


(Jason) #1

I have a Syslog tcp input thats my catch all when I cant setup a defined input. Anyway, the input file sets the type as "syslog"

tcp {
    port => 5140
    type => "syslog"
}

I then have another config file, called 01-syslog.conf with a filter for that syslog type

filter {
  if [type] == "Syslog" {
    if [host] =~ /192\.168\.56\.1/ or [host] =~ /192\.168\.56\.2/ {
      mutate {
        replace => { "type" => "firewall" }
      }
    }
  }
}

I then have another config file for the firewall filter 02-firewall.conf

filter {
  if [type] == "firewall" {
  }
}

So my question is how or in what order does Logstash process the configs? I want to make sure that the Syslog filter is processed before the firewall filter since the firewall type is set within the syslog filter. Plus ill probably want to add additional configs down the road.

So there is:

00-inputs.conf
01-syslog.conf
02-firewall.conf
...
...
09-futureservice.conf

(Magnus Bäck) #2

The filters are processed for an event in the same order that they've been read from the configuration files, and the files are read in alphabetical order.

I note that your conditional says "Syslog" but the input says "syslog". String comparisons are case-sensitive.


(Jason) #3

Good catch on the case-sensitive, thanks!

So technically the syslog filter would always run before the pfsense filter since the syslog config file is a lower number... 01 vs 02


(Magnus Bäck) #4

So technically the syslog filter would always run before the pfsense filter since the syslog config file is a lower number... 01 vs 02

Yes.


(Jason) #5

Thanks!!!


(system) #6