Hi,
I was using logstash in my Windows machine, and it was working fine. Now my server is in Linux and I am using logstash docker container. Most of the things which worked in windows is not working now, the regex patterns, json plugin, drop {}. Whatever I was given in filter {} is not working? Do I need to install all plugins when using a docker container ?
Here is my config file, it works in windows. (websocket didn't work in windows, I was using stdin{}, but it works in docker )
input {
websocket {
url => "ws://localhost:3333/"
}
}
filter {
grok {
match => { "message" => "%{GREEDYDATA:request}"}
}
grok {
match => [ "message", ".*?sta(?\d+)" ]
}
json{
source => "request"
target => "parsedJson"
remove_field=>["request"]
}
if ([message] =~ ".new interface.") {
mutate {
add_field => {
"status" => "Created Interface"
}
add_tag => "station_event"
}
}
if ([message] =~ ".delete interface.") {
mutate {
add_field => {
"status" => "Deleted Interface"
}
add_tag => "station_event"
}
}
if ([message] =~ ".disconnected.") {
mutate {
add_field => {
"status" => "Station disconnected"
}
add_tag => "station_event"
}
}
if ([message] =~ ".CTRL - EVENT - CONNECTED.") {
mutate {
add_field => {
"status" => "Station connected"
}
add_tag => "station_event"
}
}
mutate {
add_field => {
"station" => "sta%{interface}"
}
add_field => {
"time" => "%{[parsedJson][@timestamp]}"
}
add_field => {
"detailed_status" => "%{[parsedJson][wifi-event]}"
}
remove_field=>["message", "@timestamp", "@version", host, "parsedJson", "interface"]
}
}
output {
if "station_event" in [tags] {
file {
path => "/tmp/logdata.log"
}
}
}
Please see my Dockerfile
FROM docker.elastic.co/logstash/logstash:6.3.2
USER root
COPY certs/ /etc/pki/ca-trust/source/anchors/
RUN update-ca-trust
RUN logstash-plugin install logstash-input-websocket
RUN logstash-plugin install logstash-filter-mutate
RUN logstash-plugin install logstash-filter-drop
Could you please point what I should modify/add to make it work in logstash docker container?