Hello!
I read two Windows file shares with DNS logs with the following two seperate configuration files:
DNS-Server 1:
input {
file {
path => "/var/log/logstash/dns-share-pdc/dns.log"
tags => "dns"
mode => "tail"
sincedb_path => "/var/log/logstash/dns-pdc-log"
}
}
filter { if "dns" in [tags] {
if [message] =~ /^\r/ {
drop {}
}
mutate { gsub => [
"message", "\s\(\d+\)", " ",
"message", "\(\d+\)\r", "\r" ,
"message", "\(\d+\)", "."
]
}
}
}
output {
if "dns" in [tags] {
file {
path => "/var/log/logstash/dns-import/pdc/pdc-dns-%{+YYYY-MM-dd}.log"
}
}
}
DNS-Server 2:
input {
file {
path => "/var/log/logstash/dns-share-gdc/dns.log"
tags => "dns"
mode => "tail"
sincedb_path => "/var/log/logstash/dns-gdc-log"
}
}
filter { if "dns" in [tags] {
if [message] =~ /^\r/ {
drop {}
}
mutate { gsub => [
"message", "\s\(\d+\)", " ",
"message", "\(\d+\)\r", "\r" ,
"message", "\(\d+\)", "."
]
}
}
}
output {
if "dns" in [tags] {
file {
path => "/var/log/logstash/dns-import/gdc/gdc-dns-%{+YYYY-MM-dd}.log"
}
}
}
Server 1 works fine, but the strange thing is, that instead of getting the logs of Server 2 as configured above, I get a copy of the logs of Server 1 in the output file of Server 2. Yes, I have double checked the mounted Windows file shares. I did not mount two times the same share by accident. What is causing the mix up? Thanks in advance!
Cheers, Ben