What's up everyone?! I wish you're all doing great.
Take a look at this problem I'm facing. I'm loading a few log files from an Apache to ELK via Logstash. The process is pretty simple, I use the input to read the file and an output to send data to ElasticSearch. As I have more than one VirtualHost on my Apache, I have 3, sometimes 4 or more log files I need to send. I generate individual indexes on ElasticSearch for each VirtualHost I have, and it's been working pretty well so far. I got a problem now that I have two VirtualHosts pretty like each other, and it seems that the LogStash isn't being able to differ that. My config:
Logstash.conf file:
input {
file {
path => ["/path/apache/logs/soasa3.intranet_access*","/path/apache/logs/soasa.intranet_access*"]
start_position => beginning
exclude => "*.gz"
}
}
output {
if [path] =~ "soasa"{
elasticsearch { hosts => ["myserver:9200"]
index => "soasalogsacess-%{+yyyy.MM.dd}"
}
stdout {
codec => rubydebug
}
}
else [path] =~ "soasa3" {
elasticsearch { hosts => ["myserver:9200"]
index => "soasa3logsacess-%{+yyyy.MM.dd}"
}
stdout {
codec => rubydebug
}
}
As you can see, my VirtualHosts are soasa3.intranet and soasa.intranet.
With the configuration I mentioned, all data are in my index called soasalogsacess. If I Invert the order of the config file, like my first if statement is soasa3 and the second one soasa , It works fine. Is there any precedence order, like the more complex one, should come first??