Logstash filter not working


(Daniel Ebling) #1

Hi gals,

i am using the following filter:

filter {
  if [type] == "syslog" {
      if [host] == "X.X.X.X" {
         grok {
          match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{YEAR} %{DATA:host} %{DATA:syslog_program}: <%{DATA:othernumber}> <%{DATA:pid}> <%{DATA:severity_level}> <%{DATA:hostinfo} %{IP:client}> %{GREEDYDATA:syslog_message}"}
         }
      mutate {
        add_field => {
            system => "Controller"
        }
      }
      } else {
         grok {
           match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:host} %{NUMBER:syslog_pid} %{DATA:syslog_program}: %{GREEDYDATA:syslog_message}"}
         }
      }
      mutate {
         add_field => {
            retention => "medium"
         }
         remove_tag => ["_grokparsefailure_sysloginput"]
      }
  }
}

I added if / else clause because the syslogs from this specific IP Looks different, but it does not jump into the if branch of the clause.

Any ideas?

Thank you


(Lewis Barclay) #2

Try this instead:

if ([host] =~ /^192\.168\.0\.1/)

Obviously replace the IP address with your own.


(Daniel Ebling) #3

Thank you! Worked like a charm!