I want to output log to elasticsearch index from only specific "host.ip"

"host.ip" is at "_source" displayed on Kibana.

Please teach me how to resolve.

logstash config

input {
  beats {
    port => 5044
  }
}

filter {
    grok {
       match => { "message" => "%{SYSLOGTIMESTAMP:Time} %{HOSTNAME:Hostname} %{GREEDYDATA:Message}" }
    }
    date {
        match => [ "Time", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        target => "Time"
    }
}

output {
    elasticsearch {
      hosts => "<elasticsearch ip address>:9200"
      index => "server_log"
    }
}

20210308

In the filter section you could use

if [host][ip] != "10.197.218.10" { drop {} }

If the field actually has a period in the name then that would be

if [host.ip] != "10.197.218.10" { drop {} }

I tried both.
but, elasticsearch couldn't receive log from host of 10.197.218.10.

Config is below.

filter {
    if [host][ip] != "10.197.218.10" { drop {} }
    grok {
       match => { "message" => "%{SYSLOGTIMESTAMP:Time} %{HOSTNAME:Hostname} %{GREEDYDATA:Message}" }
    }
    date {
        match => [ "Time", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        target => "Time"
    }
}
filter {
    if [host.ip] != "10.197.218.10" { drop {} }
    grok {
       match => { "message" => "%{SYSLOGTIMESTAMP:Time} %{HOSTNAME:Hostname} %{GREEDYDATA:Message}" }
    }
    date {
        match => [ "Time", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
        target => "Time"
    }
}

"_source" field is auto generated by system of elastic.
"message" field haven't host.ip.

It looks like beats add [host][ip] as an array of IP addresses, so you need an array membership test...

if "10.197.218.10" not in [host][ip] { drop {} }

Just resolved.
Thank you.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.