Logstash profile

GEHsu · November 2, 2022, 3:26am

System is Ubuntu
Logstash version 7.17

The current idea is to collect logs (via syslog-514Port) from different servers or network devices
Logstash will then send the log cut to Elasticsearch
I have successfully received logs and sent them to Elasticsearch

But I want to use conf to separate devices from different sources
For example, DHCP log will create a DHCP.conf which is the name of his Log representation and output index

I tried forwarding with ufw first
Convert 2 different source host 514 ports to specific ports
then separate conf
Also successfully delivered to Elasticsearch to build 2 indexes
But the content is not separated

Is there any other way to solve it?
Because the sources are different devices. Therefore, the log segmentation method is also different.

Rios · November 2, 2022, 8:59am

AFAIK you cannot have multiple configuration on the same port. When you set a port number LS will run an instance with a listener on that port.

Options:
a) One single.conf with few IFs which will handle cases of different sources. Always in a message there in a unique field to distinguish the source. Input must be the same, output will be again with IFs.
b) Multiple ports for every source, for instance 514-DHCP, 515-firewall,...

system · November 30, 2022, 9:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.