As there are 2 config files in Logstash, logs are not received and forwarded to Kibana. I need to know whether i can have more than one conf file for logstash and if so, How to integrate the conf files.
I have mentioned the conf files below for reference
- /etc/logstash/logstash.conf
input {
udp {
host => "10.100.10.30"
port => 10514
codec => "json"
type => "rsyslog"
}
}
This is an empty filter block. You can later add other filters here to further process your log lines
filter { }
This output block will send all events of type "rsyslog" to Elasticsearch at the configured host and port into daily indices of the pattern, "rsyslog-YYYY.MM.DD"
output {
if [type] == "rsyslog" {
elasticsearch {
hosts => [ "10.100.10.30:9200" ]
}
}
}
- /etc/logstash/wazuh.conf
input {
beats {
host => "10.100.10.29"
port => 5000
codec => "json"
#> ssl => true
#> ssl_certificate => "/etc/logstash/logstash.crt"
#> ssl_key => "/etc/logstash/logstash.key"
}
}
filter {
if [data][srcip] {
mutate {
add_field => [ "@src_ip", "%{[data][srcip]}" ]
}
}
if [data][aws][sourceIPAddress] {
mutate {
add_field => [ "@src_ip", "%{[data][aws][sourceIPAddress]}" ]
}
}
}
filter {
geoip {
source => "@src_ip"
target => "GeoLocation"
fields => ["city_name", "country_name", "region_name", "location"]
}
date {
match => ["timestamp", "ISO8601"]
target => "@timestamp"
}
mutate {
remove_field => [ "timestamp", "beat", "input_type", "tags", "count", "@version", "log", "offset", "type", "@src_ip", "host"]
}
}
output {
elasticsearch {
hosts => ["10.100.10.30:9200"]
index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
document_type => "wazuh"
}
}