How to handle multiple syslog inputs with Logstash to different indices

colix · May 16, 2019, 1:53pm

Hi, in input I use 2 ports by 2 project, I want handle them to different indices. But now all input go to prd.rnis-* index. Can you help?

input {
        syslog {
                port => 5001
                tags => ["prd.rnis"]
                grok_pattern => "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version}%{SPACE}(?:-|%{TIMESTAMP_ISO8601:syslog_timestamp})%{SPACE}(?:-|%{IPORHOST:hostname})%{SPACE}(?:%{SYSLOG5424PRINTASCII:program}|-)%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:process_id})%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:message_id})%{SPACE}(?:-|(?<structured_data>(\[.*?[^\\]\])+))(?:%{SPACE}%{GREEDYDATA:syslog_message}|)"
        }
        syslog {
                port => 5002
                tags => ["dem.nisr"]
                grok_pattern => "<%{NONNEGINT:syslog_pri}>%{NONNEGINT:version}%{SPACE}(?:-|%{TIMESTAMP_ISO8601:syslog_timestamp})%{SPACE}(?:-|%{IPORHOST:hostname})%{SPACE}(?:%{SYSLOG5424PRINTASCII:program}|-)%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:process_id})%{SPACE}(?:-|%{SYSLOG5424PRINTASCII:message_id})%{SPACE}(?:-|(?<structured_data>(\[.*?[^\\]\])+))(?:%{SPACE}%{GREEDYDATA:syslog_message}|)"
        }
}
filter {

                json {
                   source => "syslog_message"
                     }
                }


output {
        if "prd.rnis" in [tags] {
            elasticsearch {
                hosts => [ "elasticsearch:9200" ]
                index => "prd.rnis-%{+YYYY.MM.dd}"
                }}
        if "dem.nisr" in [tags] {
            elasticsearch {
                hosts => [ "elasticsearch:9200" ]
                index => "dem.nisr-%{+YYYY.MM.dd}"
                }}

  stdout { codec => rubydebug }

}

Badger · May 16, 2019, 2:51pm

Are you saying that there are documents in the prd.rnis index that do not have a prd.rnis tag?

colix · May 16, 2019, 3:14pm

No, I say, that I don't have documents in index dem.nisr. Documents in prd.rnis index only.

Badger · May 16, 2019, 3:18pm

That suggests nothing is arriving on port 5002.

colix · May 17, 2019, 8:23am

Hmm.. But I see traffic in tcpdump..
Ok, I wanted be sure, that my config is good.
I try fix it.

system · June 14, 2019, 8:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Different inputs logs with logstash Logstash	7	5084	August 10, 2017
Rsyslog to logstash help Logstash	4	1365	December 17, 2017
How to create multiple indexs with multiple input in logstash Logstash	8	2911	March 19, 2021
How to different syslog in the same port? Logstash	7	1625	February 20, 2022
How to create multiple index logstash Logstash	6	8240	November 13, 2019

How to handle multiple syslog inputs with Logstash to different indices

Related topics