Log in wrong index

meaglin · October 12, 2016, 8:12am

Again sorry i was to quick, i read both the document and your first comment again and i think i might have a bit of an understanding.

I have to filter the events and get them in the right output right?
What I'm not sure about yet is how to do it exactly, So some help there would be very much appreciated.

I think if i where to do it like this it should work right?

input {
	lumberjack {
		port => 5003
		type => "lumberjack"
		ssl_certificate => "/etc/logstash/logstash-forwarder.crt"
		ssl_key => "/etc/logstash/logstash-forwarder.key"
		codec => json
	}
}
filter {
	if [type] == "ossec" {
		geoip {
			source => "srcip"
			target => "geoip"
			database => "/opt/logstash/vendor/geoip/GeoLiteCity.dat"
			add_field => ["[geoip][location]", "%{[geoip][longitude]}"]
			add_field => ["[geoip][location]", "%{[geoip][latitude]}"]
		}
		date {
			match => ["timestamp", "YYYY MMM dd HH:mm:ss"]
			target => "@timestamp"
		}
		mutate {
			convert => ["[geoip][location]", "float"]
			rename => ["hostname", "AgentName"]
			rename => ["geoip", "GeoLocation"]
			rename => ["file", "AlertsFile"]
			rename => ["agentip", "AgentIP"]
			rename => ["[rule][comment]", "[rule][description]"]
			rename => ["[rule][level]", "[rule][AlertLevel]"]
			remove_field => ["timestamp"]
		}
	}
}

output {
	 # stdout {
		codec => rubydebug
	}
	elasticsearch {
		hosts => ["bcksrv16:9200"]
		index => "ossec-%{+YYYY.MM.dd}"
		document_type => "ossec"
		template => "/etc/logstash/elastic-ossec-template.json"
		template_name => "ossec"
		template_overwrite => true
	}
}


input {
	udp {
		port => 5001
		type => syslog
	}
}

filter {
	if [type] == "syslog" {
		grok {
			break_on_match => true
			match => ["message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(: %{POSINT:win_eventid})?(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}"]
			add_field => ["received_at", "%{@timestamp}"]
			remove_field => ["host"]
		}
		syslog_pri {}
		date {
			match => ["syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601", "MM/dd/yy HH:mm:ss"]
		}
	}
}

output {
	elasticsearch {
		hosts => bcksrv16
		index => "logstash-%{+YYYY.MM.dd}"
		document_type => "syslog"
	}
}

I have removed one filter part from the syslog part because it's no longer needed, we don't sent those items to logstash anymore.

Thanks for any help