Logs duplicated in all indices

killbartonking · April 9, 2018, 7:28pm

currently running the latest release of the whole stack- at the moment, i have several inputs with a different logstash config file for each, but for some reason, data from one input is showing up in a different index. for example:

/etc/logstash/conf.d/netflow.conf:

input {
udp {
host => "10.5.50.43"
port => 5150
codec => netflow
type => "netflow"
}
}

output {
elasticsearch {
hosts => "10.5.50.42:9200"
manage_template => false
index => "netflow-%{+YYYY.MM.dd}"
}
}

/etc/logstash/conf.d/syslog.conf:

input {
syslog {
host => "10.5.50.43"
port => 5140
}
}

output {
elasticsearch {
hosts => "10.5.50.42:9200"
manage_template => false
index => "syslog-%{+YYYY.MM.dd}"
}
}

if i select the syslog-* index in the discover tab in kibana, i'm able to see netflow data in that index as well. any ideas?

Evesy · April 10, 2018, 9:08am

Hey,

Logstash config such as above is essentially all merged together at runtime, so what you have specified as two separate configs will become a single Logstash pipeline. This means any data received form either input (:5140 or :5150) will be sent to both Elasticsearch outputs.

Here's a recent discussion around the same thing: Beats Received on Port 11001 Are Being Processed By Port 11000 Config

Your options are to tag data at the input level, and then wrap your outputs in conditionals that will only match the relevant tags:

e.g.

input {
  beats {
    id => "appa_beats"
    client_inactivity_timeout => 1200
    port => 11000
    tags => ["appa"]
  }
}

output {
  if "appa" in [tags] {
    logstash {
      # The Logstash hosts
      hosts: ["logstash:11000"]
    }
  }
}

You could also look at using Logstash 6.x multiple pipelines: https://www.elastic.co/guide/en/logstash/6.x/multiple-pipelines.html

If you're stuck on an older Logstash version for whatever reason, you can run multiple Logstash instances on the same machine that each load just the correct configs, however I've never tried it.

Cheers,
Mike

system · May 8, 2018, 9:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash different .conf inputs are mixing up entries in indexes Logstash	4	975	April 24, 2019
Separate configs, different indexes yet both logs go to both indexes Logstash	2	536	October 30, 2017
Logstash and/or Kibana config wrong Logstash	4	202	June 12, 2023
Logstash multiple pipelines going into same index Logstash	3	2336	May 13, 2018
Same information in differents Indexes Elasticsearch	5	626	July 5, 2017

Logs duplicated in all indices

Related topics