I have a single-node Elastic stack running with the following architecture:
Filebeat > Logstash > Elasticsearch
Filebeat is doing the tagging and logstash will point the documents to be indexed on different indices depending on the tags.
However, I noticed within Kibana "Discover" tab, documents are indexed in the correct indices. At the same time, it is also indexed into index named "indexfordrop-2" (this is meant as a "catch-all" document and also for troubleshooting this issue). For example, I have Cisco logs indexed into "filebeat-security-ciscoasa-%{+YYYY.MM.dd}" and at the same time, it is also indexed into "indexfordrop-2".
This is really puzzling, why would logstash index it to 2 different indices.
Here's what I gathered so far:
The documents on both indices seems to be the same, I randomly searched through 5-10 documents and both incides has the same document information (but with different document ID of course).
This only happens for logs that is enabled on filebeat modules (Cisco in this case).
Yes, and in your updated configuration the fifth elasticsearch output will receive everything that is not tagged with "threatintel-malwarebazaar". I think what you want is
if "extsyslog" in [tags] { elasticsearch {} }
else if "customintel-csv" in [tags] { elasticsearch {} }
else if "cisco-asa" in [tags] { elasticsearch {} }
else { elasticsearch {} }
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.