Logstash only working for One filter while for other its not

Karn_Gusain · June 28, 2019, 4:23pm

I have below config almost running for 1 year and suddenly i got some open file issues on one of the cluster which i fixed after setting on the limits.conf in linux.

I have below logstash pipeline which is working fine of for the type => "apic_logs" while it not shiping the logs for type => "noi-syslog".

I dont see any errors on the logstash and elasticsearch nodes.

# cat logstash-syslog.conf
input {
  file {
    path => [ "/scratch/rsyslog/*/messages.log" ]
    start_position => beginning
    sincedb_path => "/scratch/registry-1"
    #sincedb_path => "/dev/null"
    max_open_files => 64000
    type => "noi-syslog"
  }
  file {
    path => [ "/scratch/rsyslog_CISCO/*/network.log" ]
    start_position => beginning
    #sincedb_path => "/dev/null"
    sincedb_path => "/scratch/registry-2"
    max_open_files => 64000
    type => "apic_logs"
  }
}

filter {
  if [type] == "noi-syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      remove_field => [ "host", "path" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
 }
 if "_grokparsefailure" in [tags] {
         drop { }
 }
}
  if [type] == "apic_logs" {
    grok {
      match => { "message" => "%{CISCOTIMESTAMP:syslog_timestamp} %{CISCOTIMESTAMP} %{SYSLOGHOST:syslog_hostname} (?<prog>[\w._/%-]+) %{SYSLOG5424SD:fault_code}%{SYSLOG5424SD:fault_state}%{SYSLOG5424SD:crit_info}%{SYSLOG5424SD:log_severity}%{SYSLOG5424SD:log_info} %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      remove_field => [ "host", "path" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
  }
 }
}
output {
        if [type] == "noi-syslog" {
        elasticsearch {
                hosts => "host-elk3:9200"
                manage_template => false
                index => "noi-syslog-%{+YYYY.MM.dd}"
                document_type => "messages"
  }
#       stdout{}
 }
}

output {
        if [type] == "apic_logs" {
        elasticsearch {
                hosts => "host-elk2:9200"
                manage_template => false
                index => "apic_logs-%{+YYYY.MM.dd}"
                document_type => "messages"
  }
 }
}

Please advise any clue or reference in this case.

system · July 26, 2019, 4:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter not working Logstash	3	303	December 21, 2018
Syslog data that is going into logstash not being picked up by elasticsearch Logstash	3	267	November 5, 2020
Problems in Elasticsearch combining two types of logs using two pipelines (Logstash) Logstash elastic-stack-security , docker	1	263	August 4, 2021
Filter syslog messages via priority Logstash	4	559	March 12, 2020
Problems in Elasticsearch combining two types of logs using two pipelines (Logstash) Logstash	2	256	July 7, 2021

Logstash only working for One filter while for other its not

Related topics