Logstash grok matches on two different fields log_type and message

ajstark123 · October 6, 2017, 8:38pm

We are using file beat to read multiple logs and we are send the output to logstash. We want a logstash grok filter to activate when (log_type == syslog) and (matches on syslog message)

grok {
match => {"log_type" => "syslog" }
# every thing below this lines work for syslog. The line above is new
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

magnusbaeck · October 10, 2017, 6:29pm

Wrap your grok filter in a conditional.

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html

system · November 7, 2017, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.