Logstash config query

gugansankar · December 5, 2015, 4:16pm

Till now I had maintain single configuration file in logstash server that is called as logstash-server.conf.

Now I would like to separate the configuration based on input criteria. my logstash service is pointed to default directory [ /etc/logstash/conf.d]

My query., each configuration file in the directory will be considered as separate one or will be treated as same file.

Current Config :

[root@srv conf.d]# pwd
/etc/logstash/conf.d
[root@srv conf.d]# ls
logstash-server.conf
[root@srv conf.d]#

Expected config structure:

[root@srv conf.d]# pwd
/etc/logstash/conf.d
[root@srv conf.d]# ls
production.conf testing.conf
[root@srv conf.d]#

magnusbaeck · December 5, 2015, 4:25pm

Having multiple configuration files in a directory is equivalent to concatenating those files in alphabetical filename order and passing the resulting file to Logstash.

gugansankar · December 5, 2015, 4:47pm

Thanks for your reply.

If I have written else statement in each configuration file, will it be considered to appropriate config or else it will be considered as global ?.

Production output config:

output {
if [type] == "prod" {
elasticsearch {
host => "localhost"
protocol => http
index => "prod-%{+YYYY.MM.dd}"
}
}
else {
file { path => "./prod_parsemissing.log" }
}
}

Testing output config:

output {
if [type] == "test" {
elasticsearch {
host => "localhost"
protocol => http
index => "test-%{+YYYY.MM.dd}"
}
}
else {
file { path => "./test_parsemissing.log" }
}
}

From the above config, what happen if the conditions fails. entries will be written to appropriate log files or else it will be written on last global else configuration.

magnusbaeck · December 5, 2015, 6:50pm

The contents of the two files above is equivalent to having

output {
  if [type] == "prod" {
    elasticsearch { ... }
  } else {
    file { ... }
  }
  if [type] == "test" {
    elasticsearch { ... }
  } else {
    file { ... }
  }
}

in a single file. Hence, messages with type equal to "prod" will be sent to a prod-* index in ES and test_parsemissing.log, and messages with type equal to "test" will be sent to a test-* index in ES and prod_parsemissing.log.

gugansankar · December 5, 2015, 7:21pm

I just confused here. Please confirm, Below is the correct one or above given statement is correct .

Message with type "prod" will be sent to prod- index* and prod_parsemissing.log file right

And Message with type "test" will be sent to test- index* and test_parsemissing.log file right

magnusbaeck · December 5, 2015, 7:25pm

No. With the conditions you have set up messages won't be sent to both the prod-* index in ES and prod_parsemissing.log. It's either or. Messages with a "prod" or "test" type will reach the elasticsearch output in one of the conditionals and the file output in the other conditional. Messages with another type value will reach the file output in both conditionals.