Are you using the pipelines.yml to configure multiple pipelines? What does your pipelines.yml looks like.
If you didn't configure logstash to use multiple pipelines with pipelines.yml then you have just only one pipeline and unless you have conditionals in this pipeline, the data from all inputs will pass through all filters and go to all outputs.
Also, share some evidence about this issues, share logs and the output you are getting and the expected output.
You need to share your pipelines configurations, it is impossible to know what your Logstash is doing without it.
Also, avoid sharing plain text as screenshots as it is not possible to copy to try to replicate your pipelines, share them as text using the preformatted text option, the </> button.
# This file is where you define your pipelines. You can define multiple.
# For more information on multiple pipelines, see the documentation:
# https://www.elastic.co/guide/en/logstash/current/multiple-pipelines.html
#- pipeline.id: main
# path.config: "/etc/logstash/conf.d/*.conf"
- pipeline.id: main
path.config: "/etc/logstash/conf.d/main.conf"
- pipeline.id: sentinel
path.config: "/etc/logstash/conf.d/sentinel.conf"
#- pipeline.id: sentinel-win-fortigate
# path.config: "/etc/logstash/conf.d/sentinel-win-fortigate.conf"
filter {
if [message] =~ "10.1.2.3" and [message] =~ "[localhost] sudo: pam_unix" { drop { } }
if [message] =~ "10.1.2.3" and [message] =~ "kernel: " { drop { } }
if [message] =~ "diskUuid" { drop { } } #filter from Logstash 3/4
Well, I'm not sure what is your issue, you have just only one source of logs, your Check point and Fortigate logs are coming from the same file.
If you have logs merged in logstash it means that they are merged in the source file, if something is missing from the logs in logstash, it means that they are missing also in the source file, you need to check on how you are creating this source file.
Thanks for checking. I have validated the source file, logs look ok to me. I suspect considering the huge log volume logs are getting merged when bandwidth is high. Do you suggest any performance tuning or any parameter for controlling the traffic.
It really depends on how this log is generated, but this is not an issue with Logstash, it is an issue on how you are creating this log, Logstash will consume the log as it is.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.