How to avoid the repetition of code in the output section in Logstash

Here is the snippet of my output section of logstash:

output {
if ["log_type" ] == "syslog" {
if "vcsa-4-westus2" in [message] {
elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]
        index => "monitor-nsos-photon-%{+YYYY.ww}"
        }
  }

if "vcsa-4-westus2" not in [message]  {
elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-nsos-vmkernel-%{+YYYY.ww}"
        }
}

else {
elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-nsos-pfsense-%{+YYYY.ww}"
        }
}
}

if [beatName] == "filebeat" {
    if [osName] == "vyos"{
                elasticsearch {
                        hosts => ["elastic-monitor.service.discover:9200"]
                        user => ${username}
                        password => ${password}
                        ssl_certificate_verification => false
                        ssl => false
                        cacert => "/home/testuser/ca-demo.pem"
                        hosts => ["https://elastic-monitor.service.discover:9200"]	
                        index => "monitor-nsos-vyos-%{beatName}-%{+YYYY.ww}"
                        }
                 }
    else {
      elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-%{beatName}-%{+YYYY.ww}"
        }
    }
}

if [beatName] == "auditbeat" {
    if [osName] == "vyos"{
                elasticsearch {
                        hosts => ["elastic-monitor.service.discover:9200"]
                        user => ${username}
                        password => ${password}
                        ssl_certificate_verification => false
                        ssl => false
                        cacert => "/home/testuser/ca-demo.pem"
                        hosts => ["https://elastic-monitor.service.discover:9200"]	
                        index => "monitor-nsos-vyos-%{beatName}-%{+YYYY.ww}"
                        }
                }
    else {
        elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-%{beatName}-%{+YYYY.ww}"
        }
    }
}

if [beatName] == "winlogbeat" {
        elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-%{beatName}-%{+YYYY.ww}"
        }
    }
if [logPath] == "radacct" {
elasticsearch {
     hosts => [ "elastic-monitor.service.discover:9200"]
     index => "monitor-switch-log-%{+YYYY.ww}"
     user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-switch-log-%{+YYYY.ww}"
        }
}

if [host][name] == "pfSense" and [type] == "beatsdata" {
elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-nsos-pfsense-filebeat-%{+YYYY.ww}"
        }
  }

 if [fields][log_type] == "nexus" or [source_of_log]== "Api_ingestor" or [syslog_field] == "syslog" 
    {
      elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-api_ingester-%{+YYYY.ww}"
      }
    }

if [log_type] == "http"  {
elasticsearch {
        hosts => ["elastic-monitor.service.discover:9200"]
        user => ${username}
        password => ${password}
        ssl_certificate_verification => false
        ssl => false
        cacert => "/home/testuser/ca-demo.pem"
        hosts => ["https://elastic-monitor.service.discover:9200"]	
        index => "monitor-dev42_log-%{+YYYY.ww}"
      }
}

As you can see there is a significant duplication of the below code section
hosts => ["elastic-monitor.service.discover:9200"]
user => {username} password => {password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]

Only the index names are changing. How to avoid this?.
I tired writing an if condition inside the elasticsearch output, but it was not working. Any ideas?

If the index name prefix is the only thing differing, you can store the index prefix in a metadata field within your filter block and then use this in a single elasticsearch output block.

...
else if [logPath] == "radacct" {
  mutate {
    add_field => { "[@metadata][index_prefix]" => "monitor-switch-log" }
  }
}
else if [beatName] == "winlogbeat" {
  ...
elasticsearch {
  ...
  index => "%{[@metadata][index_prefix]}-%{+YYYY.ww}"
}
1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.