I wanted to have a clean structure with my grok filters. For example I have php, nginx and a bunch of other filters for some of my application logs.
Would it therefore be okay to have for example:
11-nginx.conf
13-php.conf
14-applogs.conf
In my present structure I have if statements that state the following:
filter {
if [log][file][path] == "/var/log/nginx/access.log"{
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => { "message" => "%{NGINX_ACCESS}" }
}
}
else if [log][file][path] == "/var/log/nginx/error.log" {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => { "message" => "%{NGINX_ERROR}" }
}
}
else {
grok {
patterns_dir => ["/etc/logstash/patterns"]
Is it necessary to carry on with this if statement approach if the rules are separated into different conf files?