Logstash instance is listening on a single port.
I tried to separate incoming syslog messages as follows:
Two ways with "IN" and "==" operator but logstash doesn't catch one of the IFs.
input {
syslog {
port => 5040
}
}
output {
if "10.1.x.x" in [host] {
pipeline { send_to => "subpipeline-02" }
}
else if "host" == "10.1.x.y" {
pipeline { send_to => "subpipeline-01" }
}
else {
pipeline { send_to => fallback }
}
}
Warning in logstash-plain.log
[2019-11-04T11:49:43,681][WARN ][org.logstash.plugins.pipeline.PipelineBus] Attempted to send event to 'fallback' but that address was unavailable. Maybe the destination pipeline is down or stopping? Will Retry.
Has anybody an idea how to solve this issue?
Thanks