Logstash failed to differentiate log filtering based on data source IP address

pacoxpk · February 4, 2024, 3:44am

Send logs from multiple systems through syslog to logstash, which can receive logs normally. In order to distinguish logs sent from different systems, it is necessary to distinguish them based on the IP address of the data source. As long as if [host]="10.1.100.9" is added, the condition does not hold, and debug logs cannot continue to be output. If this check statement is not added, debug logs can be output normally. In version 6.4 of logstash, using the same configuration, debug logs can be output normally, The current version of logstash is 8.12.0, and the following is the configuration of logstack.conf

input{
 syslog{
   port => 514
 }
}
output {
   if [host] == "10.1.100.9" {
     stdout {
         codec => rubydebug
     }
  }
}

The following is the original log output:

Rios · February 4, 2024, 6:39am

Welcome to the community.

Please use the nested fields. In your case should be:
if [host][ip] == "10.1.100.9" {

pacoxpk · February 4, 2024, 7:03am

Thank you very much for your answer. Based on the method you provided, we have perfectly solved this problem

system · March 3, 2024, 7:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.