Logstash and/or Kibana config wrong

mariolanno · May 12, 2023, 2:58pm

Hi,

I cannot understand why I create two indexes on logstash to grab syslogs from two devices and then send to EL.

input {
  udp {
    host => "192.168.0.73"
    port => "5515"
  }


}


filter {}

output {
        elasticsearch {
                hosts           => ["http://127.0.0.1:9200"]
                index           => "vngaf-test-eu-%{+YYYY.MM.dd}"
        }
}

input {
  tcp {
    host => "192.168.0.73"
    port => "5514"
  }


}


filter {}

output {
        elasticsearch {
                hosts           => ["http://127.0.0.1:9200"]
                index           => "logstash-test-%{+YYYY.MM.dd}"
        }
}

Than on Kibana WEB UI -> Stack Management -> Kibana Index Pattern , I create an index pattern called like in the indexes of the files.
So, I think that the device that send logs on port tcp 5514 writes on the index "logstash-test-" and the device that send logs on udp 5515 writes on "vngaf-test-eu".

Instead, all two devices write on all two indexes.
Could I know why?
What I wrong in the configuration?

Thanks

stephenb · May 13, 2023, 4:20am

Because logstash Concatenates all the .conf files in a single directory... This is a very common mistake and misunderstanding.

So every event is going to both those outputs.

You need to use the pipelines.yml and name each of those pipelines separately.

mariolanno · May 15, 2023, 9:56am

Hello and thanks for your answer

I added these lines in the pipelines.yml but the result not changed.

# Custom Pipelines

- pipeline.id: cisco-pipeline_1
  path.config: "/etc/logstash/conf.d/cisco.conf"

- pipeline.id: vngaf_pipeline_2
  path.config: ""/etc/logstash/conf.d/vngaf.cfg"

Where is wrong?

Thanks

stephenb · May 15, 2023, 9:50pm

Are the events being sent to both ports?

Put a tag on the input and see if you see it on every event

input {
  udp {
    host => "192.168.0.73"
    port => "5515"
    tag => "udp"
  }

Same for the other...

Also would help if you showed the outputs. What are you seeing in discover??

How starting Logstash?

system · June 12, 2023, 9:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logs duplicated in all indices Elasticsearch	2	981	May 8, 2018
Created new index which is supposed to receive and collect logs from our endpoint solution however on Kibana it appears to list all the other index logs but expected? Elasticsearch	3	303	July 12, 2021
Logstash different .conf inputs are mixing up entries in indexes Logstash	4	975	April 24, 2019
Logstash/Elasticsearch/Kibana Fundamentals Elasticsearch	3	397	December 27, 2019
Logstash multiple pipelines going into same index Logstash	3	2336	May 13, 2018

Logstash and/or Kibana config wrong

Related topics