I am ingesting a number of logs including /var/log/syslog, /var/log/messages, but also some proprietary logs in Common Event Format (CEF) and still other proprietary logs in various other formats. The entries of these logs are shot to Logstash from Filebeat running on various nodes, e.g.:
filebeat.inputs: - type: log enabled: true paths: - /var/log/messages - /var/log/syslog - /var/log/acme/audit.log - /var/log/acme/debug.log - /var/log/acme/console.log
I have written
dissect filters for these more proprietary logs. By itself, each filter works, remapping the
message field, exploding key-value pairs, etc. to just what I want.
What I don't know how to do is configure Logstash with all of these
dissect filters active at once, either by running one log on the right
dissect code log by filesystem path (or origin) or by noting failure of one
dissect clause and trying a different one instead.
Can this be done in Logstash in the way that I imply? If not, is there configuration in Filebeat that can differentiate the log entries before they reach Logstash in such a way as for Logstash to run different filters for different log entries?