Logstash - match filename

elk6 · July 19, 2020, 12:45pm

I have two servers. The first one hosts elastic stack. Both servers have a file /var/log/commands.log which is configured in the same way and are being shipped with filebeat to logstash.

Using grok, I tried parsing the data into custom fields using this statement:

if [log][file][path] == "/var/log/commands.log" {
grok{
match => { "message" => "*some grok stuff*"
}
}
}

Problem is, even though on both servers the file is /var/log/commands.log & they're configured the same - it skips the if statement as if it's false.
I've noticed that if I ship the logs locally (without filebeat - just do input{file{input => "/var/log/commands.log}} ) it works for the local "/var/log/commands.log" file on that machine that hosts logstash.

For reference, this is the full .conf file for logstash: https://pastebin.com/1QbnAG7G
This is how elastic sees the file path: https://i.imgur.com/5h9HXf2.png

Does anyone why it skips the "if" statement? How to make it filter by name. Thanks ahead!

Rom1 · August 6, 2020, 4:34pm

Hi,

In your shared conf, it seems that you use the regexp comparison operator =~ instead of ==.
So logstash thinks that "/var/log/commands.log" is a regex pattern

system · September 3, 2020, 4:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Make logstash filter by name Logstash	4	352	August 13, 2020
How can I check if the log file path contains a certain string in the logstash configuration using regex? Logstash	4	2861	April 28, 2020
Conditional being ignored for grok match Logstash	3	1075	July 6, 2017
How to apply different filters based on particular name of files without using Filebeat Logstash	5	864	July 16, 2019
Using conditionals to decide which logs to filter Logstash	3	346	October 3, 2019

Logstash - match filename

Related topics