Logstash eventlog filter

Elastic Stack Logstash
21

My understanding is, the if condition in output,

if "error" in [tags] {
elasticsearch {
hosts => ["172.30.0.206:9200"]
}

will only send logs having "error " in tags to ES. So if no "error" , that logs must be skipped. But it is not happening.

Logstash is starting with command sudo service logstash start

22

In your above (earlier post), you are missing a curly brace. Not sure that is the issue, but your output is not properly terminated. You need 1 } at the bottom of output.

should look like this:

output {
if "error" in [tags] {
elasticsearch {
hosts => ["172.30.0.206:9200"]
}
}
}

23

Hi,

I tried your configuration with the only difference that I used winlogbeat instead of nxlog (and different field names: level instead of Severity) and it works ok.

I am not sure what is the issue there.

As a diferent solution you can try drop filter. I am using this to remove very noisy events. As an example in you case it will be something like this:

#####Match type and level.
filter {
  # Drop informational events
  if [type] == "eventlog" and [Severity] == "WARNING" {
    drop { }
  }
# Drop warning events
  if [type] == "eventlog" and [Severity] == "INFO" {
    drop { }
  }
}

*(Before you use this -if you do- check and make sure that the field names and values correspond to yours)

24

Logstash is starting with command sudo service logstash start

Make sure you don't have any unexpected files in /etc/logstash/conf.d. Logstash will read all files. Specifically, make sure you don't have a file containing an elasticsearch output that isn't wrapped in a conditional.

25

There was an unwanted file in conf.d folder. I deleted that and used drop filter by @mourlos .
And now its working. I am getting only ERROR messages .
But there is a new issue while getting logs in hipchat. I have raised a new query for it.

Anyway thank you very much.

26

Your idea worked for me. Thanks :slight_smile: