Hi everyone.
I want to show list the number of active users in VPN log using logstash.
I distinguished VPN logs login and logout using tags filed. So I have separate records for Login and Logout.
This is how I think.
- Save the user's value when login using ruby code in the filter.
- If the "tags" is login in the output, store it in the new index.
- If "tags" is logout, find the same ID in the new index where you saved the login and delete it.
filter{
kv {
include_keys => [ "date", "time", "action", "user", "status", "reason"]
}
.
.
if "login successfully" in [reason] {
mutate { add_tag => "login" }
ruby {
init => "@@user=''"
code => "
@@user=event.get('user')
"
}
}
.
.
}
output {
if "login" in [tags] {
elasticsearch {
hosts => ["localhost:9200"]
index => "activeuser"
}
} else if "logout" in [tags] {
ruby {
code => "
if event.get('user') == @@user
elasticsearch {
hosts => ["localhost:9200"]
index => "activeuser"
document_id => "%{id}"
action => "delete"
}
end
"
}
} else {
elasticsearch {
hosts => ["localhost:9200"]
index => "vpntest"
}
}
stdout { codec => rubydebug }
}
what should i do?
plus) When "tags" have login or logout value, I want to store it in the new index(activeuser) as well as in the existing index(vpntest). How is it possible? I tried but it did not work well.
Thanks for your help