Here is the snippet of my output section of logstash:
output {
if ["log_type" ] == "syslog" {
if "vcsa-4-westus2" in [message] {
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-nsos-photon-%{+YYYY.ww}"
}
}
if "vcsa-4-westus2" not in [message] {
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-nsos-vmkernel-%{+YYYY.ww}"
}
}
else {
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-nsos-pfsense-%{+YYYY.ww}"
}
}
}
if [beatName] == "filebeat" {
if [osName] == "vyos"{
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-nsos-vyos-%{beatName}-%{+YYYY.ww}"
}
}
else {
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-%{beatName}-%{+YYYY.ww}"
}
}
}
if [beatName] == "auditbeat" {
if [osName] == "vyos"{
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-nsos-vyos-%{beatName}-%{+YYYY.ww}"
}
}
else {
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-%{beatName}-%{+YYYY.ww}"
}
}
}
if [beatName] == "winlogbeat" {
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-%{beatName}-%{+YYYY.ww}"
}
}
if [logPath] == "radacct" {
elasticsearch {
hosts => [ "elastic-monitor.service.discover:9200"]
index => "monitor-switch-log-%{+YYYY.ww}"
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-switch-log-%{+YYYY.ww}"
}
}
if [host][name] == "pfSense" and [type] == "beatsdata" {
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-nsos-pfsense-filebeat-%{+YYYY.ww}"
}
}
if [fields][log_type] == "nexus" or [source_of_log]== "Api_ingestor" or [syslog_field] == "syslog"
{
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-api_ingester-%{+YYYY.ww}"
}
}
if [log_type] == "http" {
elasticsearch {
hosts => ["elastic-monitor.service.discover:9200"]
user => ${username}
password => ${password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
index => "monitor-dev42_log-%{+YYYY.ww}"
}
}
As you can see there is a significant duplication of the below code section
hosts => ["elastic-monitor.service.discover:9200"]
user => {username}
password => {password}
ssl_certificate_verification => false
ssl => false
cacert => "/home/testuser/ca-demo.pem"
hosts => ["https://elastic-monitor.service.discover:9200"]
Only the index names are changing. How to avoid this?.
I tired writing an if condition inside the elasticsearch output, but it was not working. Any ideas?