How to separate arriving syslog messages

fim · November 4, 2019, 10:53am

Logstash instance is listening on a single port.

I tried to separate incoming syslog messages as follows:
Two ways with "IN" and "==" operator but logstash doesn't catch one of the IFs.

input {
    syslog {
        port => 5040
    }
}

output {
    if "10.1.x.x" in [host] {
        pipeline { send_to => "subpipeline-02" }
    }

    else if "host" == "10.1.x.y" {
        pipeline { send_to => "subpipeline-01" }
    }

    else {
        pipeline { send_to => fallback }
    }
}

Warning in logstash-plain.log

[2019-11-04T11:49:43,681][WARN ][org.logstash.plugins.pipeline.PipelineBus] Attempted to send event to 'fallback' but that address was unavailable. Maybe the destination pipeline is down or stopping? Will Retry.

Has anybody an idea how to solve this issue?

Thanks

system · December 2, 2019, 10:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash syslog output: Weird message processing Logstash	3	427	December 12, 2019
Multiple syslog input from different Device to Logstash Logstash	2	1072	July 31, 2019
How to send syslog to multiple destinations? Logstash	1	487	March 5, 2021
Separate syslog Logstash	1	78	April 16, 2024
Rsyslog to logstash help Logstash	4	1365	December 17, 2017

How to separate arriving syslog messages

Related Topics