I have configuration of logstash for syslog , it is collecting from multiple devices, how can i create separate indices for each device

Elastic Stack Logstash
1

here is my snippet:

      syslog {
        port => 9111
        syslog_field => "syslog"
        grok_pattern => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host} %{DATA:loglevel}: %{GREEDYDATA:message}"
        add_field => { "log_type" => "syslog" } # Add log_type field to syslog messages
    filter {
      if [log_type] == "syslog" {
        json {
          source => "message"
        }
     
        grok {
          match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host} %{DATA:loglevel}: %{GREEDYDATA:message}" }
        }
     
        mutate {
          add_field => { "index_name" => "syslog_logs" } # Set the index name for syslog field
        }
      }
2

[2024-04-13T13:11:05,050][ERROR][logstash.outputs.opensearch][main][f07d574eba8e9bf8cf56e3e76bd091de1fadf988ff2f6edda9713b5a1dcdd0ac] Could not index event to OpenSearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"syslog_log-{"ip":"10.1.29.43"}-2024.04.13", :routing=>nil}, {"service"=>{"type"=>"system"}, "message"=>"[2024-04-13 13:11:04] INFO: This is an example testing message from Python code using syslog in Logstash", "log_type"=>"syslog", "@version"=>"1", "event"=>{"original"=>nil}, "host"=>{"ip"=>"10.1.29.43"}, "tags"=>["_grokparsefailure_sysloginput", "_jsonparsefailure", "_grokparsefailure"], "log"=>{"syslog"=>{"facility"=>{"name"=>"kernel", "code"=>0}, "priority"=>0, "severity"=>{"name"=>"Emergency", "code"=>0}}}, "index_name"=>"syslog_log-{"ip":"10.1.29.43"}", "@timestamp"=>2024-04-13T13:11:04.779830728Z}], :response=>{"index"=>{"_index"=>"syslog_log-{"ip":"10.1.29.43"}-2024.04.13", "_id"=>nil, "status"=>400, "error"=>{"type"=>"invalid_index_name_exception", "reason"=>"Invalid index name [syslog_log-{"ip":"10.1.29.43"}-2024.04.13], must not contain the following characters [ , ", *, \, <, |, ,, >, /, ?]", "index"=>"syslog_log-{"ip":"10.1.29.43"}-2024.04.13", "index_uuid"=>"na"}}}}
getting this error with

syslog {
        port => 9111
        syslog_field => "syslog"
        grok_pattern => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host} %{DATA:loglevel}: %{GREEDYDATA:message}"
        add_field => { "log_type" => "syslog" } # Add log_type field to syslog messages
    filter {
      if [log_type] == "syslog" {
        json {
          source => "message"
        }
     
        grok {
          match => { "message" => "%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:host} %{DATA:loglevel}: %{GREEDYDATA:message}" }
        }
     
        mutate {
          add_field => { "index_name" => "syslog_logs-%{host}" } # Set the index name for syslog field
        }
      }
3

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance. See What is OpenSearch and the OpenSearch Dashboard? | Elastic for more details.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

4

Try "index_name" => "syslog_logs-%{[host][ip]}" or mutate { gsub => [ "host", '"', "" ] }