How to divide data from one agent into two indexes?

psyapathy · August 22, 2019, 3:53pm

Hello!
I have a Windows server, it is winlogbeat, data is sent to Elasticsearch via Logstash.
I'm getting data from the security log and sysmon.

All this data is sent to the index "index1". But there is data, which have event.action equals "Test". I want to receive data with event.action="Test" to "index2".

My output.conf for Logstash now:

output {
if "winserv1" in [tags {
        elasticsearch {
            hosts => "localhost:9200"
            index => "index1-%{+YYYY.MM.dd}" 
        }
  }
}

Help me pleas.

I try:

output {
 if "winserv1" in [tags {
         elasticsearch {
             hosts => "localhost:9200"
             index => "index1-%{+YYYY.MM.dd}" 
         }
   }else if "Test" in [event.action]{
     elasticsearch {
         hosts => "localhost:9200"
         index => "index2-%{+YYYY.MM.dd}" 
     }
   }
   }

But it doesn't work..

Badger · August 22, 2019, 6:03pm

Do you have a dot in the field name or an object called event that contains an action field. If the latter then use [event][action]

You could also use

filter {
    if "winserv1" in [tags] {
        mutate { add_field => { "[@metadata][index]" => "index1-%{+YYYY.MM.dd}" } }
    } else if "Test" in [event.action] {
        mutate { add_field => { "[@metadata][index]" => "index2-%{+YYYY.MM.dd}" } }
    }
}
output {
     elasticsearch {
         hosts => "localhost:9200"
         index => "[@metadata][index]"
     }
}

system · September 19, 2019, 6:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.