Logstash failed to differentiate log filtering based on data source IP address

pacoxpk · February 4, 2024, 3:44am

Send logs from multiple systems through syslog to logstash, which can receive logs normally. In order to distinguish logs sent from different systems, it is necessary to distinguish them based on the IP address of the data source. As long as if [host]="10.1.100.9" is added, the condition does not hold, and debug logs cannot continue to be output. If this check statement is not added, debug logs can be output normally. In version 6.4 of logstash, using the same configuration, debug logs can be output normally, The current version of logstash is 8.12.0, and the following is the configuration of logstack.conf

input{
 syslog{
   port => 514
 }
}
output {
   if [host] == "10.1.100.9" {
     stdout {
         codec => rubydebug
     }
  }
}

The following is the original log output:

Rios · February 4, 2024, 6:39am

Welcome to the community.

Please use the nested fields. In your case should be:
if [host][ip] == "10.1.100.9" {

pacoxpk · February 4, 2024, 7:03am

Thank you very much for your answer. Based on the method you provided, we have perfectly solved this problem

system · March 3, 2024, 7:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash Filter output in different files according to incomming IP address Logstash	5	469	December 19, 2022
Conditional filtering by source with IP addresses Logstash	7	7000	April 11, 2017
I want to output log to elasticsearch index from only specific "host.ip" Logstash	5	1390	April 6, 2021
Logstash parsing syslog Logstash	8	3520	July 6, 2017
If conditional on nested field with IP address Logstash	10	3724	April 21, 2020

Logstash failed to differentiate log filtering based on data source IP address

Related topics