I am having an issue with multiple tcp inputs and logstash not pulling in messages from the second tcp input.
The data received on port 6050 is going into the default index logstash-%{+YYYY.MM.dd} but the data sent from rsyslog to port 6052 is not being recorded at all.
I gave the logstash user temp superuser permissions to rule out permissions and still no luck.
Here is what I have for config files (edited to remove sensitive data and not applicable data):
rsyslog.conf
:fromhost-ip, isequal, "X.X.X.X" @@localhost:6052;json-template
& stop
*.* @@localhost:6050;json-template
logstash configs
01input.config
input {
tcp {
host => "localhost"
port => 6050
codec => "json"
tags => "rsyslog"
}
tcp {
host => "localhost"
port => 6052
codec => "json"
type => "debug"
tags => "cubes"
}
}
}
#filter { }
#output { }
99output.conf
output {
if [tags] == "cubes" {
elasticsearch { hosts => [ "10.30.97.248:9200" ]
user => ["logstash"]
password => ["password"]
index => ["cubes-%{+YYYY.MM.dd}"]
}
} else {
elasticsearch { hosts => [ "10.30.97.248:9200" ]
user => ["logstash"]
password => ["password"]
}
}
}
When I perform a GET _cat/indices none of the cubes-%{+YYYY.MM.dd} indices are even being created.