Hi there,
This is the configuration I am using for debugging purpose.
The goal is basically to filter sources hosts to apply appropriate filter to the messages, and add a tag to distinguish them in elasticsearch.
input {
syslog {
port => 5114
}
}
filter {
# vtiger
if [host] == "192.168.40.140" or [host] == "192.168.40.141" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}
mutate {
add_tag => ["vtiger"]
}
}
# NetScaler
else if [host] == "192.168.41.111" {
grok {
# AppFirewall - CEF mode ON
match => { "message" => "%{NOTSPACE} %{NOTSPACE}(?<security_check>(APPFW_[^\s|]+))%{DATA}%{IP:clientip} %{NOTSPACE} %{WORD}=%{WORD:verb} %{WORD}=%{NOTSPACE:request} %{WORD}=%{GREEDYDATA:explanation} cn1=%{WORD} cn2=%{WORD} cs1=%{WORD:profile} %{GREEDYDATA} act=%{GREEDYDATA:action}"}
}
mutate {
add_tag => ["NetScaler AppFw"]
remove_tag => ["_grokparsefailure_sysloginput"]
remove_field => ["facility","priority","severity"]
}
}
}
output {
stdout { codec => rubydebug }
}
This configuration is working, but I find odd that I cannot simply write this :
if [host] == ("192.168.40.140" or "192.168.40.141")
If I do, an exception is triggered
The question is in the subject
Maybe I am missing a point ?