Logstash forwarder with multiple log source types

dirtdiver512 · January 21, 2016, 4:50pm

All,

I have two log types I am trying to forward using the forwarder. One is a plain log and the other is a json fie. I need to be able to have ELK parse them differently but can not figure out how. For the json file, on the ELK server if i have the below it works great, but then the plain log file dies. the key t this working is the codec json part.

input {
lumberjack {
port => 5001
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
codec => json
}

magnusbaeck · January 21, 2016, 6:25pm

You could use a json filter that you enable selectively if the event looks like a JSON object.

filter {
  if [message] =~ /^\{/ {
    json {
      source => "message"
    }
  }
}