Logstash profile

GEHsu · November 2, 2022, 3:26am

System is Ubuntu
Logstash version 7.17

The current idea is to collect logs (via syslog-514Port) from different servers or network devices
Logstash will then send the log cut to Elasticsearch
I have successfully received logs and sent them to Elasticsearch

But I want to use conf to separate devices from different sources
For example, DHCP log will create a DHCP.conf which is the name of his Log representation and output index

I tried forwarding with ufw first
Convert 2 different source host 514 ports to specific ports
then separate conf
Also successfully delivered to Elasticsearch to build 2 indexes
But the content is not separated

Is there any other way to solve it?
Because the sources are different devices. Therefore, the log segmentation method is also different.

Rios · November 2, 2022, 8:59am

AFAIK you cannot have multiple configuration on the same port. When you set a port number LS will run an instance with a listener on that port.

Options:
a) One single.conf with few IFs which will handle cases of different sources. Always in a message there in a unique field to distinguish the source. Input must be the same, output will be again with IFs.
b) Multiple ports for every source, for instance 514-DHCP, 515-firewall,...

system · November 30, 2022, 9:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Separate syslog Logstash	1	78	April 16, 2024
Separate device in logstash based on the destination port Logstash	1	223	July 25, 2022
Logs from different ports issue Logstash	2	116	April 4, 2024
How to different syslog in the same port? Logstash	7	1614	February 20, 2022
Sending data from Logstash to Elasticsearch running on two different server Logstash	2	311	January 31, 2022

Logstash profile

Related Topics