I want to make sure I identify the that the logs are coming from nginx before processing this grok filter, is this syntax still valid in version 7x?
filter {
if [program] == "nginx_access" {
grok {
match => { "message" => "%{NGINX_ACCESS}" }
}
}
elseif [program] == "nginx_error" {
grok {
match => { "message" => "%{NGINX_ERROR}" }
}
}
Or should I use source, my logs are coming via a filebeat shipper