How to handle multiple syslog inputs with Logstash to different indices

colix · May 16, 2019, 1:53pm

Hi, in input I use 2 ports by 2 project, I want handle them to different indices. But now all input go to prd.rnis-* index. Can you help?

input {
        syslog {
                port => 5001
                tags => ["prd.rnis"]
                grok_pattern => "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version}%{SPACE}(?:-|%{TIMESTAMP_ISO8601:syslog_timestamp})%{SPACE}(?:-|%{IPORHOST:hostname})%{SPACE}(?:%{SYSLOG5424PRINTASCII:program}|-)%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:process_id})%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:message_id})%{SPACE}(?:-|(?<structured_data>(\[.*?[^\\]\])+))(?:%{SPACE}%{GREEDYDATA:syslog_message}|)"
        }
        syslog {
                port => 5002
                tags => ["dem.nisr"]
                grok_pattern => "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version}%{SPACE}(?:-|%{TIMESTAMP_ISO8601:syslog_timestamp})%{SPACE}(?:-|%{IPORHOST:hostname})%{SPACE}(?:%{SYSLOG5424PRINTASCII:program}|-)%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:process_id})%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:message_id})%{SPACE}(?:-|(?<structured_data>(\[.*?[^\\]\])+))(?:%{SPACE}%{GREEDYDATA:syslog_message}|)"
        }
}
filter {

                json {
                   source => "syslog_message"
                     }
                }


output {
        if "prd.rnis" in [tags] {
            elasticsearch {
                hosts => [ "elasticsearch:9200" ]
                index => "prd.rnis-%{+YYYY.MM.dd}"
                }}
        if "dem.nisr" in [tags] {
            elasticsearch {
                hosts => [ "elasticsearch:9200" ]
                index => "dem.nisr-%{+YYYY.MM.dd}"
                }}

  stdout { codec => rubydebug }

}

Badger · May 16, 2019, 2:51pm

Are you saying that there are documents in the prd.rnis index that do not have a prd.rnis tag?

colix · May 16, 2019, 3:14pm

No, I say, that I don't have documents in index dem.nisr. Documents in prd.rnis index only.

Badger · May 16, 2019, 3:18pm

That suggests nothing is arriving on port 5002.

colix · May 17, 2019, 8:23am

Hmm.. But I see traffic in tcpdump..
Ok, I wanted be sure, that my config is good.
I try fix it.

system · June 14, 2019, 8:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logs duplicated in all indices Elasticsearch	2	1001	May 8, 2018
How to create multiple indexs with multiple input in logstash Logstash	8	3074	March 19, 2021
Rsyslog to logstash help Logstash	4	1398	December 17, 2017
Create multiple indexs with multiple input in logstash Logstash	14	4068	October 30, 2019
Create multiple indexes with same logstash config file Logstash	2	9328	September 14, 2017

How to handle multiple syslog inputs with Logstash to different indices

Related topics