Logstash forwarder with multiple log source types

dirtdiver512 · January 21, 2016, 4:50pm

All,

I have two log types I am trying to forward using the forwarder. One is a plain log and the other is a json fie. I need to be able to have ELK parse them differently but can not figure out how. For the json file, on the ELK server if i have the below it works great, but then the plain log file dies. the key t this working is the codec json part.

input {
lumberjack {
port => 5001
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
codec => json
}

magnusbaeck · January 21, 2016, 6:25pm

You could use a json filter that you enable selectively if the event looks like a JSON object.

filter {
  if [message] =~ /^\{/ {
    json {
      source => "message"
    }
  }
}

Topic		Replies	Views
Mixed type lumberjack {} input Logstash	1	461	July 6, 2017
Lumberjack input issues Logstash	1	538	July 6, 2017
Multiple logstash-forwarder on same server Logstash	4	1816	July 6, 2017
Two or more network destinations for logstash-forwarer Logstash	4	1228	July 6, 2017
Reading Old Log files Logstash	12	2900	July 6, 2017

Logstash forwarder with multiple log source types

Related topics